WO2015062097A1 - Procédé et dispositif de traitement de clé en mode de connexion double - Google Patents
Procédé et dispositif de traitement de clé en mode de connexion double Download PDFInfo
- Publication number
- WO2015062097A1 WO2015062097A1 PCT/CN2013/086469 CN2013086469W WO2015062097A1 WO 2015062097 A1 WO2015062097 A1 WO 2015062097A1 CN 2013086469 W CN2013086469 W CN 2013086469W WO 2015062097 A1 WO2015062097 A1 WO 2015062097A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- base station
- key
- terminal
- information
- refresh
- Prior art date
Links
- 230000009977 dual effect Effects 0.000 title claims abstract description 21
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 206
- 238000000034 method Methods 0.000 claims abstract description 151
- 230000005540 biological transmission Effects 0.000 claims description 156
- 238000012545 processing Methods 0.000 claims description 70
- 230000008569 process Effects 0.000 description 49
- 230000001960 triggered effect Effects 0.000 description 25
- 238000010586 diagram Methods 0.000 description 18
- 238000004590 computer program Methods 0.000 description 7
- 238000012790 confirmation Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000011664 signaling Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 6
- 238000009795 derivation Methods 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000000969 carrier Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 238000007599 discharging Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/14—Multichannel or multilink protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/061—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0069—Transmission or use of information for re-establishing the radio link in case of dual connectivity, e.g. decoupled uplink/downlink
- H04W36/00692—Transmission or use of information for re-establishing the radio link in case of dual connectivity, e.g. decoupled uplink/downlink using simultaneous multiple data streams, e.g. cooperative multipoint [CoMP], carrier aggregation [CA] or multiple input multiple output [MIMO]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W76/00—Connection management
- H04W76/10—Connection setup
- H04W76/14—Direct-mode setup
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a key processing method and apparatus in dual connectivity mode. Background technique
- F1 is a low-band carrier, which is characterized by a large coverage area, but the resources are scarce.
- F2 is a high-band carrier, which is characterized by small coverage but rich resources.
- a lower frequency band carrier is generally used, for example, a low frequency band carrier of frequency F1 is used to serve the user.
- the base station that uses the high-band carrier to perform a certain small coverage is usually called a small base station (or a micro base station), and the coverage of the small base station is generally called a small cell (Small cell). Cell ).
- the main idea of the small cell enhancement is that the user equipment (UE) can simultaneously aggregate the carriers from the macro cell and the small cell to obtain more available radio resources, thereby improving the data transmission rate, as shown in FIG. 2A.
- the data scheduling and transmission method of the UE in the dual connectivity mode is shown in FIG. 2B.
- the Macro Cell is the cell of the macro base station
- the Small Cell is the cell of the micro base station.
- the macro base station is selected as the primary base station (Master eNB, MeNB)
- the micro base station is selected as a secondary base station (Secondary eNB, SeNB).
- the macro base station acts as the primary control station, responsible for UE mobility management, data packet shunting, and so on.
- Case 1 During communication between the UE and the MeNB and the SeNB, the MeNB can always provide reliable coverage, that is, the MeNB can always provide reliable signal quality for the UE;
- Case 2 During communication between the UE and the MeNB and the SeNB, the MeNB cannot guarantee that reliable coverage can always be provided, that is, the MeNB cannot always provide reliable signal quality for the UE.
- the process of generating the security key Ke NB in the existing Long Term Evolution (LTE) system is shown in FIG. 3, and includes:
- the Mobility Management Entity (MME) and the UE are first based on the security context information of the UE stored by itself, such as the key K (ie, Key) in FIG. 3, Encryption key (Cipher Key, CK), integrity protection key
- IK Integrity Key
- the UE and the MME further generate a security key Ke NB based on the generated K ASME .
- the process in which the UE and the MME derive the Ke NB based on the K ASME is as follows: First, determine the following parameters:
- COUNT upstream non-access stratum COUNT, where the COUNT value consists of the superframe number and the sequence number of the packet;
- Ke NB HMAC-SHA-256 ( K ASME , S ), where the key derivation function is composed of IETF RFC 2104 (1997) and ISO/IEC 10118-3 : 2004 standard regulations.
- Ke NB After the UE and the MME generates Ke NB, MME will further Ke NB happen to the eNB. Further, the UE and the eNB generate a key used for data transmission based on the Ke NB , such as a control plane message encryption key, an integrity protection key, and a user plane data encryption key.
- a key used for data transmission based on the Ke NB such as a control plane message encryption key, an integrity protection key, and a user plane data encryption key.
- LI legal identifier length
- Key HMAC-SHA-256 ( Ke NB , S ), where different parameter values are taken for Table 1, and K up nc can be obtained according to the above formula respectively.
- Kcp_ enc i.e. control plane RRC encryption key
- Kc P _ int RRC integrity protection key i.e. the control plane.
- the key derivation function here is defined by the IETF RFC 2104 (1997) and ISO/IEC 10118-3:2004 standards.
- the UE may separately perform data transmission with the two base stations respectively based on different security keys, but may also perform data transmission with the two base stations respectively based on the same security key.
- LTE Long Term Evolution
- the embodiment of the invention provides a key processing method and device in the dual connectivity mode, which ensures the communication security of the UE in the dual connectivity mode, and also avoids the key update or key refresh process. The situation of communication failure now.
- the first aspect is a key processing method in a dual connectivity mode, the method comprising:
- the second base station receives the first request information sent by the first base station, where the first request information is used to request the second base station to generate a key used to communicate with the terminal;
- the second base station generates a key used for communication with the terminal based on the security key carried in the first request information.
- the second base station generates, according to the security key carried in the first request information, a key used for performing communication with the terminal, specifically:
- the second base station generates a key used for communication with the terminal according to the first security key currently used by the first base station carried in the first request information; or
- the second base station generates a security key different from the first security key according to the first security key currently used by the first base station, which is carried in the first request information, and generates a security key according to the generated security key.
- the key generates a key used to communicate with the terminal.
- the second base station generates a security key different from the first security key, and specifically includes:
- the second base station determines at least one physical cell identifier PCI and frequency information of a cell covered by the second base station, and generates and the first security according to the determined PCI and frequency information of the cell and the first security key. A different security key for the key.
- the second base station generates, according to the security key carried in the first request information, a key used for performing communication with the terminal, specifically including :
- the second base station generates a key used for communication with the terminal according to the second security key generated by the mobility management entity MME carried in the first request information for the second base station.
- the method further includes:
- the second base station After receiving the first request information sent by the first base station, the second base station sends second request information to the terminal, where the second request information is used to request the terminal to generate the first request information.
- the second request information includes PCI and frequency information of a cell for generating a security key of the second base station; or, the second request information includes And generating, by the second base station, indication information of the second security key.
- the method also includes:
- the second base station receives the first key refresh indication information sent by the first base station, where the first key refresh indication information is used to indicate that the second base station refreshes the communication used by the terminal Key
- the second base station generates a new security key according to the information carried in the first key refresh indication information, and generates a key used for communication with the terminal according to the new security key.
- the method further includes: a key used by the terminal to communicate, where the method further includes:
- the first base station After the second base station determines that the key refresh is required, the first base station sends the first key refresh indication information to the first base station, where the first key refresh indication information is used to indicate that the first base station refreshes and The key used by the terminal to communicate;
- the second base station receives the first feedback information returned by the first base station to notify that the current key refresh has been completed, and after the second base station completes the local key refresh, uses the refreshed secret.
- the key communicates with the terminal.
- the method further includes:
- the second base station After determining that the key refresh is required, the second base station sends the second key refresh indication information to the terminal, and receives the second feedback that is returned by the terminal to notify that the current key refresh is completed. After the information, use the refreshed key to communicate with the terminal; or,
- the second base station After receiving the first key refresh indication information sent by the first base station, the second base station sends a second key refresh indication information to the terminal, and receives the notification for returning the terminal After the secondary key refreshes the completed second feedback information, notifying the first base station that the terminal has completed the current key refresh;
- the second key refresh indication information is used to instruct the terminal to refresh a key used for communication with the first base station and the second base station.
- the first key refresh indication information includes: a PCI and frequency information of a target cell used for the current key refresh, and a next hop NH value used for the current key refresh; or
- the information of the key refresh is performed using the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the key refresh.
- the eighth possible implementation if the first base station and the second base station generate a key used for communicating with the terminal based on different security keys, the method also includes:
- the first base station After the second base station determines that the local key is to be refreshed, the first base station sends the first indication information to the first base station, where the first indication information is used to indicate that the data of the terminal is forwarded to the second base station; Or,
- the second base station After determining that the local key is updated, the second base station sends first indication information to the first base station, where the first indication information is used to indicate that the data of the terminal is forwarded to the second base station.
- the first indication information is used to indicate that the data of the terminal is forwarded to the second base station.
- the second base station suspends data transmission related to the terminal, and resumes data related to the terminal after receiving an indication sent by the first base station to indicate that data transmission related to the terminal is resumed transmission.
- the method further includes:
- the second base station After determining that the local key refresh is required, the second base station sends the second key refresh indication information to the terminal, and receives the second returned by the terminal to notify that the current key refresh is completed. After the information is fed back, the first base station is notified to resume data transmission related to the terminal, where the second key refresh indication information is used to instruct the terminal to refresh a key for communicating with the second base station; or ,
- the second base station After receiving the first indication information sent by the first base station, the second base station sends a second key refresh indication information to the terminal, and receives the key that is returned by the terminal for notifying the current key. After the second feedback information is refreshed, the first base station is notified that the terminal has completed the current key refresh, where the second key refresh indication information is used to indicate that the terminal refreshes with the first The key of the base station communication; or,
- the second base station After determining that the local key update is required, the second base station sends the second key update indication information to the terminal, and receives the second returned by the terminal to notify that the current key update has been completed. After the information is returned, the first base station is notified to resume data transmission related to the terminal, where the second key update indication information is used to instruct the terminal to update a key for communicating with the second base station; or , After receiving the first indication information sent by the first base station, the second base station sends a second key update indication information to the terminal, and receives the key that is returned by the terminal for notifying the current key. After updating the completed second reply information, notifying the first base station that the terminal has completed the current key update, where the second key update indication information is used to indicate that the terminal updates and the first The key for base station communication.
- the second key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the NH value used for the current key refresh; or The instruction information for performing key refresh on the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the current key refresh.
- the second key refresh indication information further includes information that the first base station or the second base station performs random access for the terminal.
- the method further includes:
- the second base station receives the first key update indication information sent by the first base station, where the first key update indication information carries the first base station to acquire a new security key from the MME;
- the second base station updates a key used for communicating with the terminal according to the new security key;
- the second base station After completing the current key update, the second base station returns, to the first base station, first reply information for notifying that the current key update has been completed.
- the method further includes:
- the second base station After receiving the first key update indication information sent by the first base station, the second base station sends second key update indication information to the terminal, and receives the notification for returning the terminal After the secondary key updates the completed second reply information, notifying the first base station that the terminal is finished And a second key update indication information, where the second key update indication information is used to instruct the terminal to update a key used for communication with the first base station and the second base station.
- the method further includes:
- the second base station suspends data transmission related to the terminal when determining that a key refresh needs to be performed or receiving the first key refresh indication information sent by the first base station; and the second base station determines itself And after the terminal completes the local key refresh, recovering the data transmission related to the terminal by using the refreshed key; or
- the second base station suspends data transmission related to the terminal when determining that a key update needs to be performed or receiving the first key update indication information sent by the first base station; and the second base station determines itself And after the terminal completes the local key update, the updated key is used to recover the data transmission related to the terminal.
- the second aspect is a key processing method in a dual connectivity mode, the method comprising:
- the terminal generates a key used for communication with the second base station according to the second request information.
- the terminal according to the second request information, generates a key used for performing communication with the second base station, specifically:
- the terminal generates, according to the saved security context information used to generate the second security key of the second base station,
- the second security key includes:
- the terminal receives the identifier of the security context information used by the MME to generate the second security key, and generates the second security key according to the saved security context information corresponding to the identifier.
- the method further includes:
- the terminal performs random access on a cell corresponding to the PCI and frequency information used to generate the security key of the second base station included in the second request information, to access the second base station; or ,
- the terminal performs random access on the cell specified by the first base station or the second base station in the second request information for the terminal to perform random access, to access the second Base station.
- the method further includes:
- the terminal receives the second key refresh indication information sent by the first base station or the second base station, where the second key refresh indication information is used to indicate that the terminal refreshes with the first base station and/or a key used by the second base station to perform communication;
- the terminal generates a new security key according to the information carried in the second key refresh indication information, and generates communication with the first base station and/or the second base station based on the new security key generation.
- the second key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the NH value used for the current key refresh; or The instruction information for performing key refresh on the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the current key refresh.
- the second key refresh indication information further includes information that the first base station or the second base station performs a cell designated by the terminal for random access, and the terminal is in the indicated cell. Random access; or
- the second key refresh indication information indicates that the terminal does not perform random access, and the terminal does not perform random access.
- the method further includes:
- the terminal receives the second key update indication information sent by the first base station or the second base station, where the second key update indication information is used to indicate that the terminal updates the first base station and the a key used by the second base station to communicate;
- the terminal generates a new security key according to the saved security context information, and generates a key used for communication with the first base station and the second base station according to the new security key;
- the first base station or the second base station returns second reply information for notifying that the current key update has been completed.
- a base station includes:
- a receiving module configured to receive first request information sent by the first base station, where the first request information is used to request the base station to generate a key used for communicating with the terminal;
- a processing module configured to generate, according to the security key carried in the first request information, a key used for communicating with the terminal;
- the base station and the first base station each have a communication connection with the terminal.
- the processing module is specifically configured to:: according to the first security secret currently used by the first base station that is carried in the first request information Key, generating a key used to communicate with the terminal; or
- the processing module generates a security key different from the first security key, and specifically includes:
- the processing module is specifically configured to: generate, according to the MME that is carried in the first request information, a second security key generated by the base station, The key used to communicate.
- the processing module is further configured to:
- the receiving module After receiving the first request information sent by the first base station, the receiving module sends second request information to the terminal, where the second request information is used to request the terminal to generate a second base station with the second base station.
- the key used to communicate is used to communicate.
- the first base station if the first base station generates a key used by the first base station to communicate with the terminal based on the same security key, the first base station:
- the receiving module is further configured to receive the first key refresh indication information that is sent by the first base station, where the first key refresh indication information is used to indicate that the base station refreshes a key used for communicating with the terminal;
- the processing module is further configured to generate a new security key according to the information carried in the first key refresh indication information, and generate a key used for communication with the terminal according to the new security key.
- the fourth possible implementation manner, or the fifth possible implementation manner of the third aspect, in the sixth possible implementation manner if the first base station and the local base station generate and the terminal based on the same security key The key used for communication, the processing module is further configured to:
- the first key refresh indication information is sent to the first base station, where the first key refresh indication information is used to indicate that the first base station refreshes communication with the terminal. a key; and after receiving the first feedback information returned by the first base station to notify that the current key refresh has been completed, and after the local key refresh has been completed, using the refreshed key and the Terminal communication.
- the processing module is further configured to:
- the first base station After receiving the first key refresh indication information sent by the first base station, sending the second key refresh indication information to the terminal, and receiving the return of the key for notifying the current key refresh After the second feedback information is completed, the first base station is notified that the terminal has completed the current key refresh;
- the second key refresh indication information is used to instruct the terminal to refresh a key used for communication with the first base station and the base station.
- the processing module further Used for:
- the first indication information is used to indicate that the data of the terminal is to be forwarded to the local base station; or, after determining that the local key is updated, the first indication information is sent to the first base station, where the first indication information is sent. It is used to instruct to suspend forwarding of data of the terminal to the base station.
- the first base station and the local base station generate, according to different security keys, a key used for communicating with the terminal, where:
- the receiving module is further configured to receive first indication information that is sent by the first base station, where the first indication information is used to indicate that data transmission related to the terminal is suspended;
- the processing module is further configured to suspend data transmission related to the terminal, and after the receiving module receives an indication sent by the first base station to indicate that data transmission related to the terminal is resumed, The terminal is related to data transmission.
- the processing module is further configured to:
- the receiving module After receiving the first indication information sent by the first base station, the receiving module sends a second key refresh indication information to the terminal, and receives the return of the key to notify the current key refresh. After the second feedback information is completed, the first base station is notified that the terminal has completed the current key refresh, where the second key refresh indication information is used to indicate that the terminal refreshes with the first base station. Communication key; or,
- the receiving module After receiving the first indication information sent by the first base station, the receiving module sends the second key update indication information to the terminal, and receives the return of the key to notify the current key update.
- the first base station is notified that the terminal has completed the current key update, where the second key update indication information is used to indicate that the terminal updates the first base station. The key to communication.
- the receiving module is further configured to: receive the first key update indication information sent by the first base station, where the first key update indication information carries the first base station to acquire a new security key from the MME;
- the processing module is further configured to: update a key used for communication with the terminal according to the new security key; and return to the first base station for notification after completing the current key update The first reply information that this key update has been completed.
- the processing module is further configured to:
- the receiving module After receiving the first key update indication information sent by the first base station, the receiving module sends the second key update indication information to the terminal, and receives the notification returned by the terminal for notifying the current After the key is updated with the second reply information, the first base station is notified that the terminal has completed the current key update, where the second key update indication information is used to indicate that the terminal updates and the The key used by the first base station and the base station to communicate.
- the processing module is further configured to:
- the data transmission related to the terminal is suspended; and after determining that both the terminal and the terminal complete the local key refresh, the data transmission related to the terminal is restored by using the refreshed key; or
- a fourth aspect a terminal, where the terminal has a communication connection with the first base station and the second base station, including:
- a receiving module configured to receive second request information sent by the first base station or the second base station, where the second request information is used to request the terminal to generate a communication with the second base station Key
- a processing module configured to generate, according to the second request information, a key used for communicating with the second base station.
- the processing module is specifically configured to: generate, according to a security algorithm used by the second base station, and a first security key generated by the first base station a key used to communicate with the second base station; or
- the receiving module is further configured to: receive a security context that is used by the MME to generate the second security key Identification of information;
- the processing module is specifically configured to: generate the second security key according to the saved security context information corresponding to the identifier.
- the processing module is further configured to:
- the first base station or the second base station included in the second request information performs random access on a cell designated by the terminal for random access to access the second base station.
- the receiving module is further configured to: receive the second key refresh indication information that is sent by the first base station or the second base station, where the second key refresh indication information is used to indicate that the terminal refreshes a key used by a base station and/or the second base station to communicate;
- the processing module is further configured to: generate a new security key according to the information carried in the second key refresh indication information, and generate, according to the new security key, the first base station and/or the a key used by the second base station to perform communication; and returning, to the first base station or the second base station, second feedback information for notifying that the current key refresh has been completed.
- the receiving module is further configured to: receive second key update indication information that is sent by the first base station or the second base station, where the second key update indication information is used to indicate that the terminal updates and the a key used by a base station and the second base station to communicate;
- the processing module is further configured to: generate a new security key according to the saved security context information, and generate a key used to communicate with the first base station and the second base station according to the new security key And returning, to the first base station or the second base station, second reply information for notifying that the current key update has been completed.
- another base station includes:
- a transceiver configured to receive first request information sent by the first base station, where the first request information is used by Requesting the base station to generate a key used for communicating with the terminal;
- a processor configured to generate, according to the security key carried in the first request information, a key used for communicating with the terminal;
- the base station and the first base station each have a communication connection with the terminal.
- the processor is specifically configured to: generate, according to the first security key currently used by the first base station, carried in the first request information, a key used by the terminal to communicate; or
- the processor generates a security key different from the first security key, and specifically includes:
- the processor is specifically configured to: generate, according to the MME that is carried in the first request information, a second security key generated by the base station, and generate the terminal The key used to communicate.
- the transceiver is further configured to:
- the transceiver is further configured to receive the first key refresh indication information sent by the first base station, where the first key is Key refresh indication information is used to indicate that the base station refreshes a key used for communicating with the terminal;
- the processor is further configured to generate a new security key according to the information carried in the first key refresh indication information, and generate a key used for communication with the terminal according to the new security key.
- the processor is further configured to:
- the transceiver After the key refresh is determined, the transceiver is triggered to send the first key refresh indication information to the first base station, where the first key refresh indication information is used to indicate that the first base station refreshes and a key used by the terminal to perform communication; and after the transceiver receives the first feedback information returned by the first base station to notify that the current key refresh has been completed, and has completed the local key refresh Communication with the terminal is performed using the refreshed key.
- the processor is further configured to: after determining that a key refresh is required, trigger the transceiver to send a second key refresh indication information to the terminal, and receive, at the transceiver, the returned by the terminal After notifying the second feedback information that the key refresh has been completed, using the refreshed key to communicate with the terminal;
- the transceiver is further configured to: after receiving the first key refresh indication information sent by the first base station, send the second key refresh indication information to the terminal, and receive the return of the terminal After notifying the second feedback information that the key refresh has been completed, notifying the first base station that the terminal has completed the current key refresh;
- the second key refresh indication information is used to instruct the terminal to refresh a key used for communication with the first base station and the base station.
- the transceiver if the first base station and the local base station generate a key used for communicating with the terminal based on different security keys, the transceiver further Used for:
- the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is temporarily forwarded to the local base station; or After the processor determines that the local key update is required, the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is forwarded to the local base station.
- the first base station and the local base station generate, according to different security keys, a key used for communicating with the terminal, where:
- the transceiver is further configured to receive first indication information that is sent by the first base station, where the first indication information is used to indicate that data transmission related to the terminal is suspended;
- the processor is further configured to suspend data transmission related to the terminal, and after the transceiver receives an indication sent by the first base station to indicate that data transmission related to the terminal is resumed, The terminal is related to data transmission.
- the transceiver is further configured to:
- the second key refresh indication information is sent to the terminal, and the second feedback returned by the terminal for notifying that the key refresh has been completed is received.
- the first base station is notified to resume data transmission related to the terminal, and the second key refresh indication information is used to instruct the terminal to refresh a key for communicating with the base station; or, after receiving the After the first indication information sent by the first base station, sending the second secret to the terminal.
- the key refresh indication information and after receiving the second feedback information that is sent by the terminal to notify that the current key refresh has been completed, notifying the first base station that the terminal has completed the current key refresh, where The second key refresh indication information is used to instruct the terminal to refresh a key that communicates with the first base station; or
- the second key update indication information is sent to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed. Notifying the first base station to resume data transmission related to the terminal, where the second key update indication information is used to instruct the terminal to update a key for communicating with the base station; or
- the terminal After receiving the first indication information sent by the first base station, sending, by the terminal, second key update indication information, and receiving, by the terminal, a message for notifying that the current key update has been completed After the second information is returned, the terminal is notified that the terminal has completed the current key update, and the second key update indication information is used to instruct the terminal to update the key that communicates with the first base station.
- the transceiver is further configured to: receive the first key update indication information that is sent by the first base station, where the first key update indication information carries the first base station to obtain a new security key from the MME;
- the processor is further configured to: update a key used for communication with the terminal according to the new security key; and trigger the transceiver to return to the first base station after completing the current key update The first reply message used to notify that the key update has been completed.
- the transceiver is further configured to:
- the second key update indication information is used to indicate that the terminal updates a key used for communicating with the first base station and the base station.
- the processor is further configured to:
- Suspending data transmission related to the terminal when determining that a key refresh needs to be performed or receiving the first key refresh indication information sent by the first base station; and determining that the user and the terminal complete the local key refresh Afterwards, using the refreshed key to recover data transmission related to the terminal; or
- the terminal has a communication connection between the terminal and the first base station and the second base station, including:
- a transceiver configured to receive second request information sent by the first base station or the second base station, where the second request information is used to request the terminal to generate a communication with the second base station Key
- a processor configured to generate, according to the second request information, a key used for communicating with the second base station.
- the processor is specifically configured to: generate, according to a security algorithm used by the second base station, and a first security key generated by the first base station a key used to communicate with the second base station; or
- the transceiver is further configured to: receive a security context that is used by the MME to generate the second security key
- the identifier of the information is further configured to: generate the second security key according to the saved security context information corresponding to the identifier.
- the processor is further used to:
- the first base station or the second base station included in the second request information performs random access on a cell designated by the terminal for random access to access the second base station.
- the transceiver is further configured to: receive, sent by the first base station or the second base station a second key refresh indication information, where the second key refresh indication information is used to indicate that the terminal refreshes a key used for communication with the first base station and/or the second base station;
- the processor is further configured to: generate a new security key according to information carried in the second key refresh indication information, and generate, according to the new security key, the first base station and/or the a key used by the second base station to communicate; and triggering the transceiver to return, to the first base station or the second base station, second feedback information for notifying that the key refresh has been completed.
- the transceiver is further configured to: receive, by using the first base station or the second base station, a second key update indication information, where the second key update indication information is used to indicate that the terminal updates a key used for communication with the first base station and the second base station;
- the processor is further configured to: generate a new security key according to the saved security context information, and generate a communication with the first base station and the second base station according to the new security key. And the triggering transceiver returns, to the first base station or the second base station, second reply information for notifying that the current key update has been completed.
- FIG. 1 is a schematic diagram of enhancement of a small cell in the background art
- 2A is a schematic diagram of a first dual connectivity mode in the background art
- 2B is a schematic diagram of a second dual connectivity mode in the background art
- FIG. 4 is a schematic diagram of a method for processing a key on a base station side according to an embodiment of the present invention
- FIG. 5 is a schematic diagram of a method for processing a key on a terminal side according to an embodiment of the present disclosure
- FIG. 6 is a schematic flowchart diagram of Embodiment 1 according to an embodiment of the present disclosure.
- FIG. 7 is a schematic flowchart of Embodiment 2 according to an embodiment of the present disclosure.
- FIG. 8 is a schematic flowchart of Embodiment 3 according to an embodiment of the present disclosure.
- FIG. 9 is a schematic flowchart diagram of Embodiment 4 according to an embodiment of the present disclosure.
- FIG. 10 is a schematic flowchart diagram of Embodiment 5 according to an embodiment of the present disclosure.
- FIG. 11 is a schematic diagram of a base station according to an embodiment of the present disclosure.
- FIG. 12 is a schematic diagram of a terminal according to an embodiment of the present disclosure.
- FIG. 13 is a schematic diagram of another base station according to an embodiment of the present disclosure.
- FIG. 14 is a schematic diagram of another terminal according to an embodiment of the present invention. detailed description
- the embodiment of the invention provides a key processing method when the terminal works in the dual connectivity mode, including a specific implementation scheme of initial key generation, key refresh and key update, which ensures communication of the terminal in dual connectivity mode. Safety.
- an embodiment of the present invention provides a key processing method in a dual connectivity mode, where the method includes the following steps: 541.
- the first base station and the second base station that are in communication connection with the terminal, the second base station receives the first request information sent by the first base station, where the first request information is used to request the second base station to generate a communication with the terminal.
- the first request information carries a security key, so that the second base station can generate a key used for communication with the terminal according to the security key.
- the security key carried in the first request information may be the first security key currently used by the first base station, or may be the second security generated by the Mobility Management Entity (MME) for the second base station.
- the first security key currently used by the first base station may be a first security key generated by the Mobility Management Entity (MME) for the first base station (ie, ), that is, the initial first security key; or the first security key after the first base station refreshes or updates, that is, after the first base station determines that the key refresh trigger condition (or the key update trigger condition) is satisfied, , refresh (or update) the first security key currently in use.
- MME Mobility Management Entity
- At least one set of security context information for generating a security key is stored in the MME and the terminal, and the MME (or terminal) may generate different security keys based on each set of security context information stored by the MME, where the MME And the security context information stored in the terminal is the same.
- Each set of security context information includes at least , CK, and IK parameters.
- the first security key of the first base station is generated to ensure that the MME and the terminal use the same security context information, and the second a second security key of the base station, or a security key of the first base station and the second base station (ie, the first base station and the second base station use the same security key).
- the MME indicates that the terminal is used to generate the first base station.
- the present invention is not limited to the above method, and any method that can ensure that the MME and the first security key and the second security key generated by the terminal are the same can be applied to the present invention.
- the second base station generates a key used for communication with the terminal based on the security key carried in the received first request information.
- the second base station receives the first request information sent by the first base station, where the first request information is used to request the second base station to generate a key used for communicating with the terminal; the second base station is based on the received
- the security key carried in the request information generates a key used for communication with the terminal, so that the second base station can generate a key used for communication with the terminal, thereby ensuring communication security of the terminal in the dual connection mode.
- the key used by the base station (including the first base station and the second base station) to communicate with the terminal includes, but is not limited to, one or a combination of the following keys:
- the encryption key of the control plane message the integrity protection key of the control plane message, and the encryption key of the user plane data.
- the initial key generation process of the second base station is performed by the primary base station of the terminal
- the first base station is the primary base station of the terminal in the above steps S41 and S42
- the second base station is the secondary base station of the terminal (for example, the small cell belongs to Base station, base station to which the secondary cell belongs, and the like).
- the first request information sent by the first base station to the second base station may be an SeNB increase request message, where the SeNB add request message is used to request the second base station to perform offloading for the first base station. And the SeNB adds a request message carrying a security key.
- the triggering condition of the SeNB addition request message sent by the first base station to the second base station is: the first base station offloads part of the service or part of the data to the second base station for transmission based on the need to uninstall the self load, so The base station sends an SeNB Add Request message to request the second base station to offload the first base station.
- the SeNB addition request message may include related information of services or data that need to be offloaded by the second base station.
- step S42 after receiving the SeNB addition request message sent by the first base station, the second base station determines whether it is allowed to offload the first base station, and when determining that the offloading can be performed, according to the The SeNB adds the security key carried in the request message, generates a key used for communication with the terminal, and then returns a SeNB addition confirmation message to the first base station.
- the embodiment of the present invention does not limit the execution sequence of the foregoing two processes.
- the second base station may first determine whether it is allowed. Discharging the first base station, and then generating a key used for communication with the terminal according to the security key carried in the SeNB addition request message; or, after receiving the SeNB increase request message sent by the first base station, the second base station The key used for communication with the terminal may be generated according to the security key carried in the SeNB addition request message, and then it is determined whether it is allowed to be offloaded for the first base station.
- the SeNB adds an acknowledgment message carrying an indication indicating that the second base station is allowed to offload the first base station, or carrying information about the SCell that can be offloaded by the first base station ( Preferably, the SeNB adds an acknowledgment message that carries the identification information of the security algorithm used by the second base station, and/or the second base station determines the number of the security algorithm used by the second base station.
- Information of at least one cell covered by the second base station (such as identification information of the cell and/or frequency information of the cell, etc.);
- the SeNB adds an acknowledgment message to indicate that the second base station does not allow the first base station to be offloaded.
- the first request information received by the second base station may use an existing SeNB addition request message, so that when the first base station performs the offload configuration, the second base station can generate the communication used by the terminal.
- the key saves system signaling overhead.
- the first request information may also adopt other existing messages, or adopt new signaling, for example, a SCell addition request message, and the embodiment of the present invention does not limit the implementation manner of the first request information.
- step S42 specifically includes the following implementation manners:
- the first security key is the first security key currently used by the first base station
- the second base station is configured according to the first security secret currently used by the first base station carried in the first request information. Key, which generates the key used to communicate with the terminal.
- the first security key currently used by the first base station may be an initial first security key generated by the MME for the first base station, or the first security key after the first base station is refreshed, or after the first base station is updated.
- the first security key may be an initial first security key generated by the MME for the first base station, or the first security key after the first base station is refreshed, or after the first base station is updated. The first security key.
- the second base station generates a key used for communication with the terminal according to the first security key currently used by the first base station and the security algorithm of the first base station carried in the first request information.
- the first base station and the second base station respectively generate the same security key using the same security key.
- the key used by the terminal to communicate is the same security key using the same security key.
- the security key carried in the first request information is the first security key currently used by the first base station, and then: the second base station according to the first security key currently used by the first base station carried in the first request information And generating a security key different from the first security key, and generating a key used for communication with the terminal according to the generated security key.
- the first security key currently used by the first base station may be an initial first security key generated by the MME for the first base station, or a first security key after the first base station is refreshed, or updated by the first base station.
- the first security key may be an initial first security key generated by the MME for the first base station, or a first security key after the first base station is refreshed, or updated by the first base station. The first security key.
- the second base station first generates a security key different from the first security key currently used by the first base station, based on the first security key currently used by the first base station, and then generates the security key and the security according to the security key.
- the algorithm generates a key used to communicate with the terminal.
- the second base station generates a security key different from the first security key
- the method includes: determining, by the second base station, at least one physical cell identity (PCI) and frequency information of a cell of the second base station, where And generating, according to the determined PCI and frequency information of the cell, a security key different from the first security key currently used by the first base station.
- PCI physical cell identity
- the cell of the second base station determined by the second base station refers to a cell managed or controlled by the second base station (or a cell associated with the second base station).
- the second base station generates a key used for communication with the same terminal using a different security key than the first base station.
- the first request information carries the first security key currently used by the first base station, and the first base station may pre-arrange with the second base station whether to use the same security key to generate and perform the terminal.
- the key used by the communication; the protocol may be used to specify whether the first base station and the second base station use the same security key to generate a key used for communication with the terminal; and may also carry the indication information in the first request information. And generating a key used by the second base station to communicate with the terminal using the same security key as the first base station.
- the security key carried in the first request information is the second security key generated by the MME, and the second base station generates the second security key carried in the first request information.
- the key used to communicate with the terminal is the second security key generated by the MME, and the second base station generates the second security key carried in the first request information.
- the first base station acquires the second security key generated by the MME as the second base station from the MME before sending the first request information.
- the MME stores at least two sets of security context information, and respectively generates two different security keys, which are respectively used as a first security key of the first base station and a second security key of the second base station; correspondingly, the terminal also Storing at least two sets of security context information, respectively generating two different security keys, respectively as a first security key for generating a key used for communicating with the first base station and generating a secret for communicating with the second base station The second security key of the key.
- the MME and the second security key generated by the terminal are the same, that is, the MME and the terminal generate the first security key based on the same security context information, and the MME and the terminal generate the second information based on the same security context information.
- Security key
- the first security key may be generated by using the security context information in sequence according to the sequence of the stored security context information.
- the second security key; the MME and the terminal may also agree on the security context information used to generate the first security key and the security context information used to generate the second security key; the MME may also notify the terminal to generate the first security key.
- the first base station generates a key used for communication with the terminal by using the first security key currently used by the first base station
- the second base station uses the second security key generated by the MME for the second base station to generate and The key used by the same terminal to communicate.
- the key processing method provided by the embodiment of the present invention further includes: triggering a terminal to generate a key used for communicating with the second base station, and specifically includes the following two implementation methods:
- the second base station triggers the terminal to generate a key used for communication with the second base station, which is specifically:
- the second base station After receiving the first request information sent by the first base station, the second base station sends the second request information to the terminal to request the terminal to generate a key used for communicating with the second base station, where the second request letter is used.
- the information carries the identification information of the security algorithm used by the second base station.
- the second base station when receiving the first request information sent by the first base station, may first send the second request information to the terminal, and then generate a communication with the terminal according to the security key carried in the first request information.
- the key used by the second base station may also generate a key used for communication with the terminal according to the security key carried in the first request information when receiving the first request information sent by the first base station, and then The terminal sends the second request information, and the embodiment of the present invention does not limit the sending time of the second base station to send the second request information.
- Method 2 The first base station triggers the terminal to generate a key used for communicating with the second base station, specifically:
- the first base station sends the second request information to the terminal to request the terminal to generate a key used for communication with the second base station, where the second request information carries the identification information of the security algorithm used by the second base station.
- the first base station may send the second request information to the terminal before sending the first request information to the second base station, or may send the second request to the terminal after sending the first request information to the second base station.
- the information may be used to send the first request information to the second base station and the second request information to the terminal.
- the embodiment of the present invention does not limit the sending time of the second base station to send the second request information.
- the second request information further includes a second security for generating the second base station.
- the PCI and frequency information of the cell of the key so that the terminal can generate a key used for communication with the second base station according to the PCI and frequency information of the cell and the security algorithm of the second base station, so that the terminal and the second base station Communicate using the same key used.
- the second request information further includes, to indicate that the terminal generates the second base station. And the indication information of the second security key, so that the terminal can generate the second security key according to the security context information that is saved by the second security key for generating the second base station, and generate the second security key according to the generated second security key.
- the key used to communicate with the second base station thereby causing the terminal to communicate with the same key used by the second base station.
- the second request information further includes information about a cell of the second base station that can be randomly accessed by the first base station or the second base station, such as identity information of the cell, and/or frequency information of the cell, and the like.
- the cell specified in the second request information can perform a random access procedure to access the second base station.
- the first base station if the first base station triggers the terminal to generate a key used for communication with the second base station, the first base station sends the second request information to the terminal, as a preferred implementation manner, where the second request information may be Reconfigure messages for Radio Resource Control (RRC) connections.
- RRC Radio Resource Control
- the system signaling overhead is saved because the second request information can use the existing RRC reconfiguration message.
- the second request information may also adopt other existing messages, or adopt new signaling.
- the embodiment of the present invention does not limit the implementation manner of the second request information.
- key synchronization key refresh
- key update key-rekey
- the key refresh (key refresh)
- the key refresh process may be triggered by the primary base station of the terminal, such as the base station to which the macro cell belongs, the base station to which the primary cell belongs, or the secondary base station (such as the base station to which the small cell belongs and the secondary cell to which the secondary cell belongs.
- the base station or the like triggers, that is, the first base station involved in the key refreshing process may be the primary base station of the terminal (in this case, the second base station is the secondary base station of the terminal), and the first base station may also be the secondary base station of the terminal (at this time)
- the second base station is the primary base station of the terminal).
- the key refreshing provided by the embodiment of the present invention specifically includes the following two situations: Case 1: In the above key generation process, the second base station uses the mode 1 to generate a key used for communicating with the terminal, that is, the first A base station and the second base station use the same security key to generate a key used for communication with the terminal, and the method further includes the following two methods:
- the key refresh process is triggered by the first base station, which is specifically:
- the key refresh indication information is used to instruct the second base station to refresh the key used for communication with the terminal; and the second base station generates a new security key according to the information carried in the first key refresh indication information, and according to the new security The key generates a key used to communicate with the terminal.
- the first base station after determining that the key refresh is required, sends the first key refresh indication information to the second base station. Specifically, the first base station may actively trigger the key refresh, that is, the set key is satisfied. When the trigger condition is refreshed, the first base station determines that the key refresh needs to be performed; after receiving the refresh request sent by the second base station, the first base station determines that the key refresh needs to be performed.
- the key refresh key trigger conditions can be found under the existing single connection mode trigger condition during refresh, see 33.401 specific agreement, the third Generation Partnership Project (The 3 rd Generation Partnership, 3GPP ) system architecture study ( Security Architecture (SA) in System Architecture Evolution (SAE).
- SA Security Architecture
- SAE System Architecture Evolution
- PDCP Packet Data Convergence Protocol
- COUNT Packet Data Convergence Protocol
- the key refresh request sent by the second base station to the first base station includes the cell that the second base station can perform random access in the current key refresh process determined by the second base station from the cell covered by the second base station.
- Information (such as identification information of a cell, and/or frequency information of a cell, etc.).
- the first key refresh indication information includes: PCI and frequency information of the target cell used for the current key refresh, and a next hop (NH) value used for the current key refresh; or The indication information used to indicate the key refresh using the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the current key refresh.
- the first key refresh indication information further includes information, such as cell identification information, and/or frequency information of the cell, that is specified by the first base station for the terminal to perform random access, so that the terminal is specified.
- the cell performs random access; or the first key refresh indication information further carries indication information indicating that the terminal does not perform random access, so that the terminal ignores the random access procedure.
- the cell that is designated by the first base station to perform random access for the terminal and the target cell (or the primary cell) may be the same cell, or may be different cells;
- the first key refresh indication information only needs to be carried once.
- the second base station after receiving the first key refresh indication information, the second base station generates a new security key according to the information carried in the first key refresh indication information, and generates and communicates with the terminal based on the new security key generation. The key used for communication.
- the second base station if the first key refresh indication information includes the PCI and frequency information of the target cell used for the current key refresh, and the next hop NH value used for the current key refresh, the second base station according to the indicated NH The value and the indicated PCI and frequency information of the target cell generate a new security key, and generate a key used for communicating with the terminal according to the new security key;
- the first key refresh indication information includes indication information indicating that the PCI and frequency information of the current primary cell of the terminal is used for key refresh, and an NH value used for the current key refresh
- the second base station according to the indication
- the NH value and the PCI and frequency information of the current primary cell of the terminal generate a new security key, and generate a key used for communication with the terminal according to the new security key.
- the first base station generates a new security key in the same manner as the second base station, and generates a key used for communication with the terminal based on the new security key to complete the local key refresh.
- the embodiment of the present invention does not limit the time at which the first base station performs local key refresh, and the first base station may perform local key refresh at any time after determining that the key refresh is required.
- the method provided by the embodiment of the present invention further includes: triggering the terminal to perform key refresh, specifically including the following two trigger modes:
- the second base station triggers the terminal to perform key refresh, which is specifically:
- the second base station After receiving the first key refresh indication information sent by the first base station, the second base station sends the second key refresh indication information to the terminal, and receives the first returned by the terminal to notify that the key refresh has been completed. After the feedback information, the first base station terminal is notified that the key refresh has been completed.
- the second key refresh indication information is used to instruct the terminal to refresh the key used for communication with the first base station and the second base station.
- the embodiment of the present invention does not limit the time at which the second base station triggers the terminal to perform key refresh, and the second key refresh indication information may be sent at any time after receiving the first key refresh indication information sent by the first base station.
- the first base station triggers the terminal to perform key refresh, which is specifically: After determining that the key refresh is required, the first base station sends the second key refresh indication information to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, after the refresh is used
- the key communicates with the terminal; wherein the second key refresh indication information is used to instruct the terminal to refresh the key used for communicating with the first base station and the second base station.
- the embodiment of the present invention does not limit the time at which the second base station triggers the terminal to perform key refresh, and the second key refresh indication information may be sent at any time after the second base station determines that the key refresh is required.
- the second base station when receiving the first key refresh indication information sent by the first base station, the second base station suspends data transmission with the terminal, thereby avoiding data packet loss; and the second base station determines itself After the terminal completes the local key refresh, the refreshed key is used to resume communication with the terminal.
- the second base station receives the first key refresh indication information sent by the first base station, the data transmission with the terminal may not be suspended if the data packet loss is allowed.
- the first base station suspends data transmission with the terminal when determining that a key refresh is needed, thereby avoiding data packet loss; and the first base station completes determining itself, the second base station, and the terminal. After the local key is refreshed, the refreshed key is used to resume communication with the terminal.
- the first base station determines that the key refresh is needed, the data transmission with the terminal may not be suspended if the data packet loss is allowed.
- the first base station pauses data transmission with the terminal and suspends forwarding data to the second base station when determining that a key refresh is required; if the second base station is the primary base station, The second base station suspends data transmission with the terminal and suspends forwarding of data to the first base station when it is determined that key refresh is required.
- the key refresh process is triggered by the second base station, which is specifically:
- the second base station After determining that the key refresh is required, the second base station sends the first key refresh indication information to the first base station, where the first key refresh indication information is used to instruct the first base station to refresh the key used for communicating with the terminal; as well as
- the second base station receives the first feedback information returned by the first base station to notify that the current key refresh has been completed, and after the second base station completes the local key refresh, uses the refreshed key to communicate with the terminal.
- the process of performing local key refreshing by the second base station is similar to the process of performing local key refreshing by the first base station in the first mode, and details are not described herein again.
- the method of the embodiment of the present invention further includes: triggering the terminal to perform key refreshing, specifically including the following two triggering modes:
- the second base station triggers the terminal to perform key refresh, which is specifically:
- the second base station After determining that the key refresh is required, the second base station sends the second key refresh indication information to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, after the refresh is used.
- the key communicates with the terminal; wherein the second key refresh indication information is used to instruct the terminal to refresh the key used for communicating with the first base station and the second base station.
- the first base station triggers the terminal to perform key refresh, which is specifically:
- the first base station After receiving the first key refresh indication information sent by the second base station, the first base station sends the second key refresh indication information to the terminal, and receives the first returned by the terminal to notify that the key refresh has been completed. After the feedback information, the second base station terminal is notified that the key refresh has been completed.
- the second key refresh indication information is used to instruct the terminal to refresh the key used for communication with the first base station and the second base station.
- the second base station suspends data transmission related to the terminal when determining that a key refresh is needed, thereby avoiding data packet loss; and the second base station determines that both the terminal and the terminal complete the local key.
- the second base station restores the data transmission related to the terminal by using the refreshed key after determining that the first base station and the terminal complete the local key refresh.
- the second base station determines that the key refresh is needed, the data transmission related to the terminal may not be suspended if the data packet loss is allowed.
- the first base station when receiving the first key refresh indication information sent by the second base station, the first base station suspends data transmission related to the terminal, thereby avoiding data packet loss; and the first base station is determining After the local key is refreshed by itself and the terminal, the refreshed key is used to recover the data transmission related to the terminal.
- the first base station receives the first key refresh indication information sent by the second base station, the data transmission related to the terminal may not be suspended.
- the first base station pauses data transmission with the terminal and suspends forwarding data to the second base station when determining that a key refresh is required; if the second base station is the primary base station, The second base station suspends data transmission with the terminal and suspends forwarding of data to the first base station when it is determined that key refresh is required.
- the second base station triggering key refresh is similar to the first base station triggering key refresh in the first manner. For details, refer to the description in the first mode.
- the second key refresh indication information includes: PCI and frequency information of the target cell used for the current key refresh, and an NH value used for the current key refresh; or The indication information used to indicate the key refresh using the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the current key refresh.
- the terminal After the second key refresh indication information is received, the terminal performs key refreshing according to the information carried in the second key refresh indication information, as described in the following two manners. Description of the terminal side.
- the second key refresh indication information further includes information of the cell designated by the first base station or the second base station for performing random access for the terminal (such as cell identification information, and/or frequency information of the cell, etc.)
- the second key refresh indication information further includes indication information for indicating that the terminal does not perform random access, so that the terminal performs random access to perform random access. Ignore the random access process.
- the cell specified by the first base station or the second base station for performing random access for the terminal may be the current key refresh determined by the first base station or the second base station.
- the target cell used (or the current primary cell of the terminal) may also be another cell that the first base station or the second base station specifies for the terminal to perform random access.
- the cell designated by the first base station or the second base station for random access by the terminal may be the target cell used by the first base station or the second base station for determining the current key refresh (or the current primary cell of the terminal)
- the terminal Only once in the second key refresh indication information, after receiving the second key refresh indication information, the terminal performs random access in the designated target cell (or the current primary cell of the terminal), and according to the PCI and frequency information of the specified target cell (or the current primary cell of the terminal) and the NH used for this key refresh Value, generate a new security key.
- both the first base station and the second base station since the first base station and the second base station use the same security key to generate a key used for communication with the terminal, both the first base station and the second base station must perform key refresh.
- Case 2 In the above key generation process, the second base station generates the key used for communication with the terminal by using mode 2 or mode 3, that is, the first base station and the second base station generate communication with the terminal by using different security keys.
- the key used, the method further includes the following two ways:
- the first base station is triggered to perform key refresh, which is specifically:
- the second base station suspends data transmission related to the terminal, and resumes data transmission related to the terminal after receiving an indication sent by the first base station for instructing to resume data transmission related to the terminal.
- the first base station performs a local key refresh process, specifically:
- the first base station generates a new security key according to the PCI and frequency information of the target cell used by the current key refresh, and generates a key used for communication with the terminal according to the new security key; or, the first The base station generates a new security key according to the PCI and frequency information of the current primary cell of the terminal, and generates a key used for communication with the terminal according to the new security key.
- the method further includes: triggering the terminal to perform key refresh, specifically including the following two triggering modes:
- the first base station triggers the terminal to perform key refresh, which is specifically:
- the first base station After determining that the key refresh is required, the first base station sends the second key refresh indication information to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, after the refresh is used
- the key communicates with the terminal and notifies the second base station to resume data transmission related to the terminal, wherein the second key refresh indication information is used to instruct the terminal to refresh the key used for communication with the first base station.
- the embodiment of the present invention does not limit the time at which the first base station triggers the terminal to perform key refresh, and the second key refresh indication information may be sent at any time after the first base station determines that the key refresh is required.
- the second base station triggers the terminal to perform key refresh, which is specifically: After receiving the first indication information sent by the first base station, the second base station sends the second key refresh indication information to the terminal, and receives the second feedback information that is returned by the terminal and is used to notify that the key refresh has been completed. Then, the first base station is notified that the terminal has completed the current key refresh; wherein the second key refresh indication information is used to instruct the terminal to refresh the key for communicating with the first base station.
- the embodiment of the present invention does not limit the time at which the second base station triggers the terminal to perform the key refresh.
- the second key refresh indication information may be sent at any time after the second base station receives the first indication information sent by the first base station.
- the first base station suspends data transmission related to the terminal when determining that a key refresh is needed, thereby avoiding data packet loss; and the first base station determines that both the terminal and the terminal complete the local key. After refreshing, the data associated with the terminal is recovered using the refreshed key.
- the first base station determines that the key refresh is needed, the data transmission related to the terminal may not be suspended if the data packet loss is allowed.
- the first base station suspends data transmission related to the terminal and suspends forwarding of data to the second base station when it is determined that the key refresh is required.
- the second base station is triggered to perform a key refresh, specifically:
- the second base station After determining that the local key refresh is required, the second base station sends first indication information to the first base station, where the first indication information is used to indicate that the data transmission related to the terminal is suspended.
- the first base station suspends data transmission related to the terminal. If the first base station is the primary base station, the first base station temporarily suspends forwarding the data of the terminal to the second base station after receiving the first indication information.
- the second base station performs a local key refresh process, which is specifically:
- the second base station generates a new security key according to the PCI and frequency information of the target cell used by the current key refresh (the target cell may be determined by the first base station or may be determined by the second base station), and according to the new security a key that generates a key used to communicate with the terminal;
- the second base station generates a new security key according to the PCI and frequency information of the current primary cell of the terminal, and generates a key used for communication with the terminal according to the new security key.
- the method further includes: triggering the terminal to perform key refresh, specifically including the following two touches Hair way:
- the second base station triggers the terminal to perform key refresh, which is specifically:
- the second base station After determining that the key refresh is required, the second base station sends the second key refresh indication information to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, after the refresh is used.
- the key communicates with the terminal and sends an indication to the first base station for instructing to resume data transmission related to the terminal, wherein the second key refresh indication information is used to indicate that the terminal refreshes the secret used for communication with the second base station key.
- the embodiment of the present invention does not limit the time at which the second base station triggers the terminal to perform key refresh, and the second key refresh indication information may be sent at any time after the second base station determines that the key refresh is required.
- the first base station triggers the terminal to perform key refresh, which is specifically:
- the first base station After receiving the first indication information sent by the second base station, the first base station sends the second key refresh indication information to the terminal, and receives the second feedback information that is returned by the terminal and is used to notify that the key refresh has been completed. Then, the second base station is notified that the terminal has completed the current key refresh; wherein the second key refresh indication information is used to instruct the terminal to refresh the key for communicating with the second base station.
- the embodiment of the present invention does not limit the time at which the first base station triggers the terminal to perform key refresh, and the second key refresh indication information may be sent at any time after the second base station receives the first indication information sent by the second base station.
- the second base station suspends data transmission related to the terminal when determining that a key refresh is needed, thereby avoiding data packet loss; and the second base station determines that the local key is completed by itself and the terminal. After refreshing, use the refreshed key to resume communication with the terminal.
- the second base station determines that the key refresh is needed, the data transmission related to the terminal may not be suspended if the data packet loss is allowed.
- the second key refresh indication information includes: PCI and frequency information of the target cell used for the current key refresh, and an NH value used for the current key refresh; or The indication information used to indicate the key refresh using the PCI and frequency information of the current primary cell of the terminal, and the NH value used for the current key refresh.
- the second key refresh indication information further includes information of the cell designated by the first base station or the second base station for performing random access for the terminal (such as cell identification information, and/or frequency information of the cell, etc.) ), so that when the terminal performs random access, random access is performed in the designated cell.
- the first base station and the second base station use different security keys to generate a key used for communication with the terminal, the first base station and the second base station do not need to perform key refresh at the same time.
- the first base station If the first base station is triggered, the first base station refreshes the key used for communication with the terminal and the terminal refreshes the key used for communication with the first base station;
- the second base station If the second base station is triggered, the second base station refreshes the key used to communicate with the terminal and the terminal refreshes the key used to communicate with the second base station.
- the second key refresh indication information sent by the first base station or the second base station to the terminal may use an existing RRC reconfiguration message (such as switching).
- the second key refresh indication information may also adopt other existing messages, and may also adopt a newly defined message.
- the key update provided by the embodiment of the present invention specifically includes the following two situations: Case 1: In the above key generation process, the second base station uses the mode 1 to generate a key used for communication with the terminal, that is, the first A base station and the second base station use the same security key to generate a key used for communication with the terminal, and the method further includes:
- the second base station receives the first key update indication information sent by the first base station, where the first key update indication information carries the first base station to acquire a new security key from the MME;
- the second base station updates the key used for communication with the terminal according to the new security key carried in the first key update indication information
- the second base station After completing the current key update, the second base station returns, to the first base station, first reply information for notifying that the current key update has been completed.
- the primary base station of the terminal such as the base station to which the macro cell belongs
- the base station to which the primary cell belongs is triggered by the key update process, that is, the first base station involved in the key update process is the primary base station of the terminal
- the second base station is the secondary base station of the terminal (for example, the base station to which the small cell belongs and the secondary cell to which the secondary cell belongs Base station, etc.), specifically:
- the first base station determines that the key update needs to be performed, and sends the first key update indication information to the second base station to indicate the The second base station updates the key used for communication with the terminal according to the new security key; or, after receiving the key update request sent by the second base station, the first base station determines that the key update needs to be performed, and The second base station sends the first key update indication information to instruct the second base station to update the key used for communication with the terminal according to the new security key.
- the key update trigger condition refer to the trigger condition in the key update process in the existing single-connection mode.
- the 33.401 protocol which is the security architecture in the 3GPP system architecture research.
- the MME needs to activate a security context different from the current Evolved Packet System (EPS) access layer security context to trigger the key update process.
- EPS Evolved Packet System
- the method further includes: performing, by the first base station, a local key update, specifically: the first base station updates a key used for communicating with the terminal according to the new security key acquired from the MME.
- the time at which the first base station performs local key update is not limited, and the first base station may perform local key update at any time after determining that the key update is required.
- the method further includes: triggering the terminal to perform key update, specifically including the following two triggering modes:
- the first base station triggers the terminal to perform key update, which is specifically:
- the first base station After determining that the key update needs to be performed, the first base station sends the second key update indication information to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed, notifying the second The base station has completed the current key update, and the second key update indication information is used to instruct the terminal to update the key used for communication with the first base station and the second base station.
- the second base station after receiving the notification sent by the first base station, and the second base station has completed the local key update, the second base station communicates with the terminal by using the updated key.
- the embodiment of the present invention does not limit the time when the first base station triggers the terminal to perform key update, and the second key update indication information may be sent at any time after the first base station determines that the key update is required.
- the second base station triggers the terminal to perform key update, which is specifically:
- the second base station After receiving the first key update indication information sent by the first base station, the second base station sends the second key update indication information to the terminal, and receives the first returned by the terminal to notify that the current key update has been completed. After the second reply message, the first base station is notified that the terminal has completed the current key update, and the second key update indication information is used to indicate that the terminal updates the key used for communicating with the first base station and the second base station.
- the second base station receives the second reply information returned by the terminal for notifying that the current key update has been completed, and after the second base station has completed the local key update, uses the updated key to communicate with the terminal.
- the second base station when receiving the first key update indication information sent by the first base station, the second base station suspends data transmission related to the terminal, thereby avoiding data packet loss; After the second base station determines that the local and the terminal have completed the local key update, or after the second base station determines that the self, the first base station, and the terminal complete the local key update, the second base station uses the updated key to resume communication with the terminal.
- the second base station receives the first key update indication information sent by the first base station, the data transmission related to the terminal may not be suspended if the data packet loss is allowed.
- the second key update indication information further includes information about the cell that the first base station specifies for the terminal to perform random access (the designated cell may be one or more secondary cells or small cells, or may be the terminal current The primary cell is configured to enable the terminal to perform random access in the designated cell.
- the second key refresh indication information further includes indication information for indicating that the terminal does not perform random access, so that the terminal ignores the random Access process.
- the first base station suspends data transmission related to the terminal and suspends forwarding of data of the terminal to the second base station, thereby avoiding data packet loss.
- the first base station is determined to be itself, the second base station, and the terminal are all completed After the cost key is updated, the updated key is used to recover the data transmission related to the terminal and to resume forwarding the data of the terminal to the second base station.
- the first base station may not suspend the data transmission related to the terminal and does not suspend forwarding the data of the terminal to the second base station.
- the second key update indication information sent by the first base station or the second base station to the terminal may use an existing RRC reconfiguration message to save the signaling overhead of the system.
- the second key update indication information may also use other existing messages, and may also adopt a newly defined message.
- Case 2 In the above key generation process, the second base station generates the key used for communication with the terminal by using mode 2 or mode 3, that is, the first base station and the second base station generate communication with the terminal by using different security keys.
- the key used, the method further includes the following two ways:
- the first base station is triggered to perform a key update, specifically:
- the second base station suspends data transmission related to the terminal, and resumes data transmission related to the terminal after receiving an indication sent by the first base station for instructing to resume data transmission related to the terminal.
- the first base station After the first base station determines that the set key update trigger condition is met, the first base station first sends the first indication information to the second base station to indicate that the data transmission related to the terminal is suspended; then, the first base station acquires the MME. Generating a new first security key for the first base station, and generating a key used for communication with the terminal according to the new first security key and its own security algorithm; and finally, the first base station to the second base station An indication is sent to indicate that data transmission associated with the terminal is resumed.
- the method further includes: triggering the terminal to perform key update, specifically including the following two triggering modes:
- the first base station triggers the terminal to perform key update, which is specifically:
- the first base station After determining that the key update needs to be performed, the first base station sends the second key update indication information to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed, using the update Key communicates with the terminal and notifies the second base station to recover data related to the terminal Transmission, where the second key update indication information is used to instruct the terminal to update a key used for communication with the first base station.
- the embodiment of the present invention does not limit the time when the first base station triggers the terminal to perform the key update, and the second key update indication information may be sent at any time after the first base station determines that the key update is needed.
- the second base station triggers the terminal to perform key update, which is specifically:
- the second base station After receiving the first indication information sent by the first base station, the second base station sends the second key update indication information to the terminal, and receives the second reply information that is returned by the terminal and is used to notify that the current key update has been completed. Then, the first base station is notified that the terminal has completed the current key update; wherein the second key update indication information is used to instruct the terminal to update the key that communicates with the first base station.
- the embodiment of the present invention does not limit the time when the second base station triggers the terminal to perform the key update, and the second key update indication information may be sent at any time after the second base station receives the first indication information sent by the first base station.
- the first base station suspends data transmission related to the terminal when determining that the key update is needed, thereby avoiding data packet loss; and the first base station determines that the local key is completed by itself and the terminal. After the update, the terminal-related data transfer is resumed using the updated key.
- the first base station determines that the key update is needed, the data transmission related to the terminal may not be suspended if the data packet loss is allowed.
- the first base station suspends data transmission related to the terminal and suspends forwarding of data to the second base station when determining that the key update is required.
- the second base station is triggered to perform a key update, specifically:
- the second base station After determining that the local key update is required, the second base station sends the first indication information to the first base station, where the first indication information is used to indicate that the data transmission related to the terminal is suspended.
- the first base station suspends data transmission related to the terminal. If the first base station is the primary base station, the first base station temporarily suspends forwarding the data of the terminal to the second base station after receiving the first indication information.
- the second base station performs a local key update process, specifically:
- the second base station After determining that the set key update trigger condition is met, the second base station first sends the first base station to the first base station. An indication information to indicate to suspend data transmission related to the terminal; then, the second base station acquires a new second security key generated by the MME for the second base station, and according to the new second security key and its own security algorithm Generating a key used for communicating with the terminal; finally, the second base station transmits an indication to the first base station for instructing to resume data transmission related to the terminal.
- the method further includes: triggering the terminal to perform key update, specifically including the following two triggering modes:
- the second base station triggers the terminal to perform key update, which is specifically:
- the second base station After determining that the key refresh is required, the second base station sends the second key update indication information to the terminal, and after receiving the second reply information returned by the terminal for notifying that the key refresh has been completed, using the update
- the key communicates with the terminal and sends an indication to the first base station for instructing to resume data transmission related to the terminal, wherein the second key update indication information is used to indicate that the terminal updates the secret used for communicating with the second base station key.
- the embodiment of the present invention does not limit the time at which the second base station triggers the terminal to perform key update, and the second key update indication information may be sent at any time after the second base station determines that the key update is required.
- the first base station triggers the terminal to perform key update, which is specifically:
- the first base station After receiving the first indication information sent by the second base station, the first base station sends the second key update indication information to the terminal, and receives the second reply information that is returned by the terminal and is used to notify that the current key refresh has been completed. Then, the second base station is notified that the terminal has completed the current key update; wherein the second key update indication information is used to instruct the terminal to update the key for communicating with the second base station.
- the embodiment of the present invention does not limit the time when the first base station triggers the terminal to perform the key update, and the second key update indication information may be sent at any time after the second base station receives the first indication information sent by the second base station.
- the second base station suspends data transmission related to the terminal when determining that the key update is needed, thereby avoiding data packet loss; and the second base station determines that the local key is completed by itself and the terminal. After the update, the communication with the terminal is resumed using the updated key.
- the second base station determines that a key update is needed, if the data packet loss is allowed, The data transfer associated with the terminal is not suspended.
- the second key update indication information includes information about a cell designated by the first base station or the second base station for performing random access for the terminal (such as identity information of the cell, and/or frequency information of the cell, etc.), so that When performing random access, the terminal performs random access in the designated cell.
- information about a cell designated by the first base station or the second base station for performing random access for the terminal such as identity information of the cell, and/or frequency information of the cell, etc.
- the first base station and the second base station use different security keys to generate a key used for communication with the terminal, the first base station and the second base station do not need to perform key update at the same time.
- the second key update indication information sent by the first base station or the second base station to the terminal may use an existing RRC reconfiguration message (such as a handover command) to save the system. Signaling overhead.
- the second key update indication information may also use other existing messages, and may also adopt a newly defined message.
- the embodiment of the present invention further provides a terminal side key processing method, where The method includes the following steps:
- the terminal that is in communication connection with the first base station and the second base station receives the second request information sent by the first base station or the second base station, where the second request information is used to request the terminal to generate the communication with the second base station.
- the second request information carries the identifier information of the security algorithm used by the second base station.
- the terminal generates a key used for communication with the second base station according to the received second request information.
- the first base station is a primary base station of the terminal, such as a base station where the macro cell is located
- the second base station is a secondary base station (ie, a SeNB) of the terminal, such as a base station where the small cell is located.
- a SeNB secondary base station
- the key used by the terminal to communicate with the base station includes but is not limited to one or a combination of the following keys:
- the encryption key of the control plane message the integrity protection key of the control plane message, and the encryption key of the user plane data.
- the following three methods are specifically included in the step S52: Mode 1.
- the terminal generates a key used for communication with the second base station according to the security algorithm used by the second base station and the security key generated by the first base station.
- the terminal In a second mode, the terminal generates a key used for communication with the second base station according to the security algorithm used by the second base station and the PCI and frequency information of the cell used to generate the security key of the second base station included in the second request information. .
- the terminal generates a corresponding security key according to the PCI and frequency information of the cell used to generate the security key of the second base station included in the second request information, and according to the generated security key and the used by the second base station.
- a security algorithm that generates a key used to communicate with the second base station.
- Mode 3 If the second request information includes indication information for instructing the terminal to generate the second security key for the second base station, the terminal according to the security context information that is saved by the terminal for generating the second security key of the second base station Generating a second security key and generating a key for communicating with the second base station based on the second security key.
- the MME and the terminal may store multiple sets of security context information for generating the security key, in order to ensure that the MME and the terminal use the same security context information to generate the second security key of the second base station, it is preferably implemented.
- the MME indicates an identifier (such as a number of the security context information) of the security context information used by the terminal to generate the second security key of the second base station.
- the terminal receives the identifier of the security context information used by the MME to generate the second security key, and generates a second security key according to the security context information corresponding to the identifier saved by the terminal.
- the method provided by the embodiment of the present invention further includes:
- the terminal performs random access on the cell corresponding to the PCI and the frequency information for generating the security key of the second base station included in the second request information, to access the second base station;
- the first base station or the second base station included in the second request information performs random access on another cell designated by the terminal for random access to access the second base station.
- the method provided by the embodiment of the present invention further includes: the terminal performing a local key refresh process, specifically:
- Second key refresh indication information sent by the first base station or the second base station, where the second key is The key refresh indication information is used to instruct the terminal to refresh a key used for communicating with the first base station and/or the second base station;
- the terminal generates a new security key according to the information carried in the second key refresh indication information, and generates a key used for communication with the first base station and/or the second base station based on the new security key;
- a base station or the second base station returns second feedback information for notifying that the key refresh has been completed.
- the terminal may, after completing the local key refresh, the first base station or the second base station (in this case, the second base station will Receiving the second feedback information to notify the first base station) to return the second feedback information;
- the terminal may notify the first base station after completing the local key refresh (in this case, the second base station receives the second feedback information The second base station) or the second base station returns the second feedback information.
- the terminal generates a new security key according to the information carried in the second key refresh indication information, and generates a key used for communication with the first base station and/or the second base station based on the new security key, specifically including :
- the terminal If the second key refresh indication information includes the PCI and frequency information of the target cell used for the current key refresh and the NH value used for the current key refresh, the terminal according to the indicated NH value and the indicated target cell PCI Generating a new security key with the frequency information, and generating a key used for communicating with the first base station and/or the second base station according to the new security key;
- the terminal indicates according to the indication.
- the NH value and the PCI and frequency information of the current primary cell of the terminal generate a new security key, and generate a key used for communication with the first base station and/or the second base station based on the new security key.
- the terminal receives the second key refresh indication sent by the first base station or the second base station. After the information, refreshing the key used for communication with the first base station and the second base station;
- the first base station and the second base station use different security keys to generate a key used for communication with the terminal, and the first base station is triggered to perform key refresh, and the terminal receives the first base station or the second base station to send the first After the second key refresh indication information, the key used for communication with the first base station is refreshed; if the first base station and the second base station use different security keys to generate a key used for communication with the terminal, and the second base station After the key refresh is triggered, the terminal refreshes the key used for communication with the second base station after receiving the second key refresh indication information sent by the first base station or the second base station.
- the first base station or the second base station when transmitting the second key refresh indication information to the terminal, carries the indication information in the second key refresh indication information to indicate the density used by the terminal to perform communication with the first base station.
- the second key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the NH value used for the current key refresh; or
- the PCI and frequency information of the primary cell performs key refresh indication information and the NH value used for the current key refresh.
- the second key refresh indication information further includes information of the cell designated by the first base station or the second base station for performing random access for the terminal (such as cell identification information, and/or frequency information of the cell, etc.) ).
- the second key refresh indication information further includes information that the first base station or the second base station performs the cell specified by the terminal for performing random access, the terminal performs random access on the indicated cell;
- the key refresh indication information indicates that the terminal does not perform random access (if the second key refresh indication information does not include information of the cell designated by the first base station or the second base station for performing random access by the terminal, or the second secret)
- the key refresh indication information includes indication information indicating that the terminal does not perform random access, and the terminal does not perform random access.
- the method provided by the embodiment of the present invention further includes:
- the terminal receives the second key update indication information sent by the first base station or the second base station, where the second key update indication information is used to indicate that the terminal updates the key used for communicating with the first base station and the second base station;
- the terminal generates a new security key according to the saved security context information, and generates a key used for communication with the first base station and the second base station according to the new security key;
- the terminal returns, to the first base station or the second base station, second reply information for notifying that the current key update has been completed.
- the terminal may perform the local key update to the first base station or the second base station (in this case, the second base station will Receiving the second reply information to notify the first base station) to return the second reply information;
- the terminal may notify the first base station after completing the local key update (in this case, the second base station receives the second reply information The second base station) or the second base station returns the second reply information.
- Embodiment 1 the MeNB and the SeNB working in the UE use the same security key Ke NB to generate a key used for communication with the UE before the key is refreshed.
- the initial security key generation process on the SeNB side is as follows:
- the MeNB sends a SeNB addition request message to the SeNB.
- the triggering condition for the MeNB to send the SeNB Add Request message to the SeNB may be that the MeNB may perform part of the service or part of the data to be transmitted to the SeNB for transmission based on the need to uninstall the self load, so the SeNB addition request message needs to be sent to the SeNB.
- the SeNB addition request message may include information about a service or data that needs to be specifically offloaded by the SeNB.
- the SeNB increases the Ke NB in the request message that needs to carry the security key currently used by the MeNB.
- the SeNB addition request message may include information of a SCell (secondary cell) recommended by the MeNB, to assist the SeNB to configure a SCell for the UE, where the SCell is a cell under the SeNB, that is, a cell managed and controlled by the SeNB.
- SCell secondary cell
- the SeNB After receiving the SeNB Add Request message, the SeNB generates a key used for communicating with the UE according to the Ke NB carried in the SeNB Add Request message and its own security algorithm. Secret key 1 ⁇ . And/or integrity protection key K int . Then, the SeNB sends an SeNB Add acknowledgment message to the MeNB to confirm that the MeNB is allowed to perform shunting.
- the SeNB adds the acknowledgment message, which may include the security algorithm identifier of the SeNB, the information of the SCell configured by the SeNB for the UE, for example, the identifier information or the frequency information of the SCell.
- the SCell is a cell that is managed and controlled by the SeNB, and the SCell configured by the SeNB for the UE includes at least a cell specified for performing random access for the UE and/or a cell used for performing the current key refresh.
- the cell specified by the UE to perform random access is the same cell as the cell used for performing the current key refresh.
- the MeNB sends an RRC reconfiguration message to the UE, where the RRC reconfiguration message includes a security algorithm identifier used by the SeNB.
- the RRC reconfiguration message further includes information about the SCell configured by the SeNB for the UE.
- the UE After receiving the RRC reconfiguration message, the UE performs access to the SeNB.
- the UE may access the SeNB by performing random access on the designated SCell.
- the UE generates a key used for communication with the SeNB according to the security algorithm indicated in the RRC reconfiguration message and its current KeNB, such as the encryption key Ke nc and/or the integrity protection key K int .
- the MeNB After determining that the key refresh is required, the MeNB triggers a key refresh process, as follows:
- the MeNB actively triggers a key refresh, or the MeNB receives a key refresh request sent by the SeNB, and is triggered to perform a key refresh.
- the key refresh request message sent by the SeNB to the MeNB may carry information of the SCell that the UE recommended by the SeNB can perform random access when performing key refresh.
- the MeNB sends a key refresh indication message to the SeNB to instruct the SeNB to stop data transmission and perform a key refresh process.
- the key refresh indication message includes the PCI and frequency information of the target cell used by the current key update determined by the MeNB, and the NH value used for the current key refresh; preferably, the UE may also include the key refresh.
- the information of the SCell that can be randomly accessed may be used, and the information of the SCell may be the identification information or the frequency information of the SCell;
- the key refresh indication message includes indication information for indicating key refresh according to the PCI and frequency of the current PCell of the UE, and an NH value used for the current key refresh; preferably, the UE may also include the key. Information about the SCell that can be randomly accessed during refresh.
- the SeNB After receiving the key refresh indication message sent by the MeNB, the SeNB stops data transmission with the UE, and starts to perform key refresh.
- the specific key refresh process is as follows:
- the key refresh indication message includes the PCI and frequency information of the target cell used by the current key refresh and the NH value used for the current key refresh, the SeNB according to the indicated NH value and the indicated PCI of the target cell.
- the frequency information generates a new security key, which is recorded as Ke NB ;
- the key refresh indication message includes indication information for indicating key refresh according to the PCI and frequency of the current PCell of the UE and an NH value used for the current key refresh
- the SeNB according to the indicated NH value and the current UE
- the PCell's PCI and frequency information generates a new security key Ke NB .
- the SeNB generates a key used for communication with the UE, such as a new encryption key and/or an integrity protection key K int , based on the Ke NB and the security algorithm of the SeNB.
- the SeNB sends a key refresh confirmation message to the MeNB.
- the message is not limited to being transmitted after the step S67, and the message may be sent to the MeNB at any time after the SeNB confirms that the key is refreshed.
- the SeNB sends an RRC reconfiguration message to the UE.
- the RRC reconfiguration message includes the PCI and frequency information of the target cell used for the current security key refresh, and the NH value used for the current key refresh.
- the RRC reconfiguration message may further include that the UE can perform the key refreshing.
- the information of the SCell may be the identification information or the frequency information of the SCell.
- the RRC reconfiguration message includes indication information for indicating key refresh according to the PCI and frequency of the current PCell of the UE, and an NH value used for the current key refresh.
- the UE may also include the key refresh.
- the information of the SCell that can be randomly accessed can be performed. Send, this message can be sent to the MeNB at any time after the SeNB confirms that the key is refreshed. After receiving the RRC reconfiguration message, the UE stops the data transmission and starts to perform key refresh.
- the UE if the RRC reconfiguration message includes the PCI and frequency information of the target cell used by the current key refresh and the NH value used for the current key refresh, the UE according to the indicated NH value and the indicated target cell PCI and frequency information generate a new security key, denoted as Ke NB ,;
- the RRC reconfiguration message includes indication information for indicating key refresh according to the PCI and frequency of the current PCell of the UE and an NH value used for the current key refresh, the UE according to the indicated NH value and the indicated target cell
- the PCI and frequency information generates a new security key Ke NB .
- the UE generates a new key used for communication with the MeNB according to the new Ke NB and the security algorithm of the MeNB, such as a new encryption key and/or an integrity protection key K int ; meanwhile, the UE according to the new Ke The NB , and the SeNB's security algorithm generates a key used to communicate with the SeNB, such as a new encryption key Ke nc and/or an integrity protection key K int .
- the RRC reconfiguration message further includes information that the UE performs the random access SCell, the UE performs random access on the indicated SCell. Otherwise, that is, the RRC reconfiguration message indicates that random access is not performed, and the UE ignores the random access procedure.
- the UE sends an RRC reconfiguration complete message to the SeNB. specific:
- the UE sends an RRC reconfiguration complete message to the SeNB after performing the random access on the indicated SCell; if the RRC reconfiguration message indicates no When random access is performed, the UE directly sends an RRC reconfiguration complete message to the SeNB.
- the UE may send a scheduling request to the SeNB before sending the RRC reconfiguration complete message to the SeNB.
- the SeNB After receiving the RRC reconfiguration complete message sent by the UE, the SeNB starts to recover the data transmission with the UE by using the new security key.
- the SeNB sends a security key refresh complete message to the MeNB.
- the MeNB After receiving the security key refresh complete message sent by the SeNB, the MeNB starts to recover the data transmission with the UE by using the new security key.
- Embodiment 2 In this embodiment, the MeNB and the SeNB working in the UE use different security keys to generate a key used for communication with the UE before the key is refreshed. Referring to FIG. 7, the initial security key generation process on the SeNB side is as follows:
- the MeNB sends a SeNB addition request message to the SeNB.
- the triggering condition for the MeNB to send the SeNB Add Request message to the SeNB may be that the MeNB may perform part of the service or part of the data to be transmitted to the SeNB for transmission based on the need to uninstall the self load, so the SeNB addition request message needs to be sent to the SeNB.
- the SeNB addition request message includes a Ke NB currently used by the MeNB, and instructs the SeNB to use a new KeNB' different from the Ke NB .
- the SeNB sends an SeNB addition confirmation message to the MeNB to confirm that the MeNB is allowed to perform offloading.
- the UE determines one or more SCell increased, and at least one SCell determined PCI and differs from the frequency information to produce new Ke NB Ke NB of. Then, the eNB transmits an SeNB addition confirmation message to the MeNB.
- the MeNB sends an RRC reconfiguration message to the UE, where the RRC reconfiguration message includes a security algorithm identifier used by the SeNB and PCI and frequency information of the SCell used to generate the Ke NB .
- the RRC reconfiguration message further includes information of one or more SCells configured by the SeNB for the UE.
- the UE After receiving the RRC reconfiguration message, the UE performs access to the SeNB.
- the UE may perform random access on the SCell for generating the access to the SeNB; or the UE may perform random access on the other designated SCells that perform random access. Access to the SeNB. Meanwhile, UE according to the RRC reconfiguration message indicating for generating Ke NB, the PCI and SCell frequency information generation Ke NB,.
- the UE generates a key used for communication with the SeNB, such as an encryption key Ke nc and/or an integrity protection key, according to the security algorithm identifier used by the SeNB and the generated Ke NB indicated in the RRC reconfiguration message. K int .
- a security key different from the MeNB side may be generated on the SeNB side by the following method. Specific The process is as follows:
- the MeNB sends an SeNB addition request message to the SeNB.
- the SeNB addition request message includes a security key K eNB generated by the MME for the SeNB.
- the SeNB After receiving the SeNB addition request message, the SeNB determines one or more SCells that are added by the UE, and sends an SeNB addition confirmation message to the MeNB to confirm that the MeNB is allowed to perform offloading.
- the MeNB sends an RRC reconfiguration message to the UE, where the RRC reconfiguration message includes a security algorithm identifier used by the SeNB. Further, the RRC reconfiguration message further includes indication information for instructing the UE to generate the Ke NB .
- the UE After receiving the RRC reconfiguration message, the UE performs access to the SeNB.
- the UE may first generate K ASME according to the locally maintained second K associated with the SeNB, the second IK and the second CK, and then generate a KeN according to the K ASME , where the second K, the second IK, and the second CK Relevant parameters for the security key generated by the SeNB maintained locally for the UE.
- the UE generates a key used for communication with the SeNB, such as an encryption key and/or an integrity protection key K int , according to the security algorithm and the generated security.
- a key used for communication with the SeNB such as an encryption key and/or an integrity protection key K int , according to the security algorithm and the generated security.
- the MeNB triggers a key refresh process, as follows:
- the MeNB is triggered to perform local key refresh.
- the MeNB is triggered to perform local key refresh, suspend data transmission with the UE and suspend forwarding of data of the UE to the SeNB.
- the MeNB sends a key refresh indication message to the SeNB to instruct the SeNB to suspend data transmission with the UE, and the MeNB sends an RRC reconfiguration message to the UE.
- the RRC reconfiguration message includes the PCI and frequency information of the target cell used by the current security key refresh and the NH value used for the current key refresh.
- the RRC reconfiguration message is used to indicate the PCI and the current PCell based on the UE.
- the frequency performs the key refresh indication information and the NH value used for the current key refresh.
- This step does not send the RRC reconfiguration message to the MeNB and the MeNB sends the MME to the SeNB.
- the key refresh indicates that the execution order of the message is limited.
- the SeNB After receiving the key refresh indication message sent by the MeNB, the SeNB suspends data transmission with the UE.
- the UE After receiving the RRC reconfiguration message, the UE stops performing data transmission and starts to perform key refresh.
- the UE may generate a new security key according to the NH value indicated in the RRC reconfiguration message and the indicated PCI and frequency information of the target cell or the PCell, that is, And generating a new key used for communication with the MeNB according to the Ke NB , the generation and the security algorithm of the MeNB.
- the UE may also perform random access on the target cell or PCell indicated in the RRC reconfiguration message.
- the UE performs random access on the target cell or the PCell indicated in the RRC reconfiguration message, and sends an RRC reconfiguration complete message to the MeNB.
- the MeNB After receiving the RRC reconfiguration complete message sent by the UE, the MeNB sends a key refresh complete indication message to the SeNB, and after determining that the local key refresh is completed, the MeNB communicates with the UE by using the refreshed key.
- the SeNB After receiving the key refresh complete indication message sent by the MeNB, the SeNB starts to resume data transmission with the UE.
- the third embodiment is different from the second embodiment in that the SeNB is triggered to perform a local key refresh process in this embodiment.
- S81 ⁇ S84 are the same as S71 ⁇ S74 in the second embodiment, and are not described here.
- the SeNB is triggered to perform a local key refresh of the SeNB.
- the SeNB is triggered to perform a local key refresh and suspend data transmission with the UE.
- the SeNB sends a key refresh indication message to the MeNB, to instruct the MeNB to suspend forwarding of data of the UE to the SeNB.
- the MeNB When receiving the key refresh indication message sent by the SeNB, the MeNB suspends forwarding the data of the UE to the SeNB. 588. The SeNB or the MeNB sends a key refresh indication message to the UE.
- the RRC reconfiguration message includes the PCI and frequency information of the target cell used by the current security key refresh and the NH value used for the current key refresh.
- the RRC reconfiguration message is used to indicate the PCI and the current PCell based on the UE.
- the frequency performs the key refresh indication information and the NH value used for the current key refresh.
- the UE After receiving the key refresh indication message, the UE stops performing data transmission with the SeNB, and starts to perform key refresh.
- the UE may generate a new security key K eNB according to the PCI and frequency information of the SCell or PCell indicated in the key refresh indication message. Further, the UE generates a new key used for communication with the SeNB according to the generated ⁇ and the security algorithm of the SeNB.
- the UE performs random access on the SCell indicated in the key refresh indication message, and sends a key refresh complete message to the SeNB.
- the SeNB After receiving the key refresh complete message sent by the UE, the SeNB sends a key refresh complete indication message to the MeNB, and after the local key refresh is completed by itself, uses the refreshed key to communicate with the UE.
- the MeNB After receiving the key refresh complete indication message sent by the SeNB, the MeNB starts to resume forwarding the UE data to the SeNB.
- Embodiment 4 the MeNB and the SeNB working in the UE use the same security key Ke NB to generate a key used for communication with the UE before the key is updated.
- the initial security key generation process on the SeNB side is as follows:
- S91-S94 is the same as S61 ⁇ 64 in the first embodiment, and details are not described herein again.
- the MeNB After the MeNB is triggered to perform the key update, the MeNB triggers the key update process, as follows:
- the MeNB is triggered to perform a key update, and acquires a new security key from the MME, which is recorded as KeNB2.
- the MeNB may locally trigger a key update, or may also receive the SeNB or
- the key update is triggered when the key update request is sent by the MME.
- the MeNB sends a key update indication message to the SeNB, where the key update indication message is included in the packet.
- the MeNB includes the KeNB2 obtained from the MME; and the MeNB sends an RRC reconfiguration message to the UE, where the RRC reconfiguration message includes indication information for instructing the UE to perform the key update.
- the sequence in which the MeNB sends the RRC reconfiguration message to the UE and the MeNB sends the SeNB key update indication message is not limited.
- the SeNB After receiving the key refresh indication message sent by the MeNB, the SeNB acquires And generating a new key according to the security algorithm of Ke NB2 and SeNB, such as encryption key Ke nc and/or integrity protection key K int . Further, after the key update is completed, the SeNB sends a key update confirmation message to the MeNB to report that the local key update has been completed.
- the SeNB suspends data transmission with the UE.
- the UE After receiving the RRC reconfiguration message, the UE stops performing data transmission, and starts to perform local key update, including updating a key for communicating with the MeNB and a key for communicating with the SeNB.
- the UE when determining, according to the indication of the RRC reconfiguration message, the UE needs to update the key, first generate a new K ASME , which is denoted as K ASME2 ; then, according to K ASME , and a non-access stratum (NAS) The new COUNT value produces a new Ke NB2 . Further, the UE generates a new key used for communication with the MeNB according to the generated e NB2 and the security algorithm of the MeNB, such as a new encryption key.
- SeNB security algorithm to generate a new key for use with the SeNB communication, such as encryption keys K ⁇ - s and / or integrity protection key K int - s.
- the UE performs random access on the target cell or PCell indicated in the RRC reconfiguration message, and sends an RRC reconfiguration complete message to the MeNB.
- the MeNB After receiving the RRC reconfiguration complete message sent by the UE, the MeNB sends a key update completion indication message to the SeNB, and after completing the local key update itself, uses the updated key (such as a new encryption key Ke). Nc - M and / or integrity protection key K lnt - M ) communicate with the UE.
- a key update completion indication message such as a new encryption key Ke.
- Nc - M and / or integrity protection key K lnt - M communicate with the UE.
- the SeNB After receiving the key update completion indication message sent by the MeNB, and completing the local key update by itself, the SeNB uses the updated key (such as a new encryption key K ⁇ -s and/or integrity guarantee).
- the key K int — s resumes communication with the UE.
- the fifth embodiment is different from the fourth embodiment in that, in this embodiment, the SeNB triggers the UE to perform key update by using an RRC reconfiguration message.
- the initial security key generation process on the SeNB side is as follows:
- S101-S104 is the same as S61 ⁇ 64 in the first embodiment, and details are not described herein again.
- the MeNB After the MeNB is triggered to perform the key update, the MeNB triggers the key update process, as follows:
- S105-S106 is the same as S95 ⁇ S96 in the fourth embodiment, and is not described here.
- the SeNB After receiving the RRC reconfiguration message sent by the MeNB, the SeNB acquires the Ke NB2 and forwards the RRC reconfiguration message to the UE.
- the RRC reconfiguration message does not include Ke NB2 .
- the UE uses the RRC reconfiguration message SeNB acquired Ke NB2 and SeNB security algorithm to generate a new key used for communication, such as the (new encryption key Ke nc - s and / or integrity protection dense Key K int — s ).
- the SeNB suspends data transmission with the UE.
- the SeNB sends a key update confirmation message to the MeNB to report that the local key update has been completed.
- the UE After receiving the RRC reconfiguration message, the UE stops performing data transmission, and starts to perform key update, including updating a key for communicating with the MeNB and a key for communicating with the SeNB.
- the UE when determining, according to the indication of the RRC reconfiguration message, the UE needs to update the key, first generate a new K ASME , denoted as K ASME2 ; and then generate a new Ke NB2 according to the new COUNT value of K ASME2 and the NAS. Further, the UE generates, according to the generated Ke NB2 and the security algorithm of the MeNB, a new key used for communication with the MeNB, such as a new encryption key Ke nc — M and/or an integrity protection key K int — M; And generating, by the UE, a new key used for communicating with the SeNB according to the generated and SeNB security algorithm, such as an encryption key Ke nc — s and/or an integrity protection key
- the UE performs random access on the target cell or the PCell indicated in the RRC reconfiguration message, and sends an RRC reconfiguration complete message to the MeNB.
- the RRC reconfiguration complete message uses new The encryption key K ⁇ -s and/or the integrity protection key Kint - s are encrypted and integrity protected.
- the SeNB After receiving the RRC reconfiguration complete message sent by the UE, the SeNB sends an RRC reconfiguration complete message to the MeNB, and after completing the local key update itself, uses a new key (such as a new encryption key K ⁇ ). s and/or integrity protection key Kint - s ) communicate with the UE.
- a new key such as a new encryption key K ⁇ .
- s and/or integrity protection key Kint - s communicate with the UE.
- the MeNB After receiving the RRC reconfiguration complete message sent by the SeNB, and completing the local key update by itself, the MeNB uses a new key (such as a new encryption key K ⁇ -M and/or an integrity protection key K). Int — ⁇ ) Resume communication with the UE.
- a new key such as a new encryption key K ⁇ -M and/or an integrity protection key K.
- an embodiment of the present invention further provides a base station.
- the base station includes:
- the receiving module 111 is configured to receive first request information sent by the first base station, where the first request information is used to request the base station to generate a key used for communicating with the terminal;
- the processing module 112 is configured to generate, according to the security key carried in the first request information, a key used for communicating with the terminal;
- the base station and the first base station both have a communication connection with the terminal.
- processing module 112 is specifically configured to:
- the processing module 112 generates a security key different from the first security key, and specifically includes: determining at least one PCI and frequency information of a cell covered by the second base station, and according to the determined PCI and frequency information of the cell, and the first The security key, which generates a different security key than the first security key.
- processing module 112 is specifically configured to:
- the processing module 112 is further configured to:
- the receiving module 111 After receiving the first request information sent by the first base station, the receiving module 111 sends the second request information to the terminal, where the second request information is used to request the terminal to generate a key used for communication with the second base station.
- the second request information includes the PCI and frequency information of the cell used to generate the security key of the second base station; or the second request information includes, in the second request information, the terminal is used to indicate that the terminal is the second base station.
- the indication information of the second security key is generated.
- the shell 1 J if the first base station and the local base station generate a key used for communication with the terminal based on the same security key, the shell 1 J:
- the receiving module 111 is further configured to receive the first key refresh indication information sent by the first base station, where the first key refresh indication information is used to indicate that the base station refreshes a key used for communicating with the terminal; the processing module 112 is further configured to: Generating a new security key according to the information carried in the first key refresh indication information, and generating a key used for communication with the terminal according to the new security key.
- the processing module 112 is further configured to:
- first key refresh indication information is used to indicate that the first base station refreshes a key used for communicating with the terminal.
- the first feedback information returned by the first base station for notifying that the key refresh has been completed, and after the local key refresh has been completed, uses the refreshed key to communicate with the terminal.
- processing module 112 is further configured to:
- the second key refresh indication information is sent to the terminal, and after the second feedback information returned by the terminal for notifying that the key refresh has been completed is received, the refreshed key is used. Communicate with the terminal; or,
- the receiving module 111 After receiving the first key refresh indication information sent by the first base station, the receiving module 111 sends the second key refresh indication information to the terminal, and receives the first returned by the terminal to notify that the key refresh has been completed. After the feedback information, the first base station terminal is notified that the key refresh has been completed;
- the second key refresh indication information is used to indicate that the terminal refreshes with the first base station and the base station.
- the key used for line communication is used to indicate that the terminal refreshes with the first base station and the base station.
- the first key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the next hop NH value used for the current key refresh; or
- the current primary cell's PCI and frequency information are used to perform key refresh indication information and the NH value used for the current key refresh.
- the processing module 112 is further configured to:
- the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is temporarily forwarded to the local base station;
- the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is temporarily forwarded to the local base station.
- the first base station and the base station generate a key used to communicate with the terminal based on different security keys
- the receiving module 111 is further configured to receive first indication information sent by the first base station, where the first indication information is used to indicate to suspend data transmission related to the terminal;
- the processing module 112 is further configured to suspend data transmission related to the terminal, and resume the data transmission related to the terminal after the receiving module 111 receives the indication sent by the first base station to indicate that the data transmission related to the terminal is resumed.
- processing module 112 is further configured to:
- the second key refresh indication information is sent to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, the first base station is notified to resume.
- the receiving module 111 After receiving the first indication information sent by the first base station, the receiving module 111 sends the second key refresh indication information to the terminal, and receives the second feedback information that is returned by the terminal and is used to notify that the key refresh has been completed. After the first base station terminal is notified that the key refresh has been completed, the second key refresh indication information is used to instruct the terminal to refresh the key communicated with the first base station; or After determining that the local key update needs to be performed, sending the second key update indication information to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed, notifying the first base station to resume Data transmission related to the terminal, where the second key update indication information is used to instruct the terminal to update the key communicated with the base station; or
- the receiving module 111 After receiving the first indication information sent by the first base station, the receiving module 111 sends the second key update indication information to the terminal, and receives the second reply information that is returned by the terminal and is used to notify that the current key update has been completed. After that, the first base station terminal is notified that the current key update has been completed, where the second key update indication information is used to instruct the terminal to update the key for communicating with the first base station.
- the second key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the NH value used for the current key refresh; or
- the PCI and frequency information of the primary cell performs key refresh indication information and the NH value used for the current key refresh.
- the second key refresh indication information further includes information of the cell designated by the first base station or the second base station for random access by the terminal.
- the first base station and the local base station generate a key used for communication with the terminal based on the same security key
- the receiving module 111 is further configured to: receive the first key update indication information sent by the first base station, where the first key update indication information carries the first base station to obtain a new security key from the MME;
- the processing module 112 is further configured to: update a key used for communicating with the terminal according to the new security key; and return to the first base station to notify that the current key update is completed after completing the current key update First reply message.
- processing module 112 is further configured to:
- the receiving module 111 After receiving the first key update indication information sent by the first base station, the receiving module 111 sends the second key update indication information to the terminal, and receives the first returned by the terminal to notify that the current key update has been completed. After the second reply message, the first base station terminal is notified that the current key update has been completed.
- the second key update indication information is used to indicate that the terminal updates the key used for communicating with the first base station and the base station.
- the processing module 112 is further configured to:
- the data transmission related to the terminal is suspended; and after determining that both the terminal and the terminal complete the local key refresh, the refreshed Key recovery and terminal related data transmission;
- an embodiment of the present invention further provides a terminal.
- the terminal includes:
- the receiving module 121 is configured to receive second request information sent by the first base station or the second base station, where the second request information is used to request the terminal to generate a key used for communicating with the second base station;
- the processing module 122 is configured to generate, according to the second request information, a key used for communicating with the second base station.
- processing module 122 is specifically configured to:
- processing module 122 is specifically configured to:
- the processing module 122 is further configured to: Performing random access on the cell corresponding to the PCI and frequency information used to generate the security key of the second base station included in the second request information to access the second base station; or, included in the second request information
- the first base station or the second base station performs random access on the cell designated by the terminal for random access to access the second base station.
- the receiving module 121 is further configured to: receive second key refresh indication information sent by the first base station or the second base station, where the second key refresh indication information is used to indicate that the terminal refreshes with the first base station and/or the second a key used by the base station to communicate;
- the processing module 122 is further configured to: generate a new security key according to the information carried in the second key refresh indication information, and generate a secret used for communication with the first base station and/or the second base station based on the new security key. And returning, to the first base station or the second base station, second feedback information for notifying that the current key refresh has been completed.
- the second key refresh indication information includes: the PCI and frequency information of the target cell used for the current key refresh, and the NH value used for the current key refresh; or
- the PCI and frequency information of the primary cell performs key refresh indication information and the NH value used for the current key refresh.
- the second key refresh indication information further includes information that the first base station or the second base station performs, for the terminal, the cell specified by the random access, and the terminal performs random access on the indicated cell; or, the second The key refresh indication information indicates that the terminal does not perform random access, and the terminal does not perform random access.
- the receiving module 121 is further configured to receive, by the first base station or the second base station, second key update indication information, where the second key update indication information is used to indicate that the terminal update is performed by using the first base station and the second base station.
- the processing module 122 is further configured to generate a new security key according to the saved security context information, and generate a key used for communicating with the first base station and the second base station according to the new security key; and to the first base station or the first The second base station returns a second reply message for notifying that the current key update has been completed.
- another base station provided by the embodiment of the present invention includes:
- the transceiver 131 is configured to receive first request information sent by the first base station, where the first request information is used to request the base station to generate a key used for communicating with the terminal;
- the processor 132 is configured to generate, according to the security key carried in the first request information, a key used for communicating with the terminal;
- the base station and the first base station both have a communication connection with the terminal.
- the processor 132 is specifically configured to:
- the processor 132 generates a security key different from the first security key, and specifically includes: determining at least one physical cell identifier PCI and frequency information of a cell covered by the second base station, and according to the determined PCI of the cell. The frequency information and the first security key generate a security key different from the first security key.
- the processor 132 is specifically configured to:
- transceiver 131 is also used to:
- the second request information After receiving the first request information sent by the first base station, the second request information is sent to the terminal, where the second request information is used to request the terminal to generate a key used for communication with the second base station.
- the first base station and the local base station generate a key used for communication with the terminal based on the same security key
- the transceiver 131 is further configured to receive the first key refresh indication information sent by the first base station, where the first key refresh indication information is used to indicate that the base station refreshes a key used for communicating with the terminal;
- the processor 132 is further configured to generate a new security according to the information carried in the first key refresh indication information. The full key, and the key used to communicate with the terminal is generated based on the new security key. In an implementation, if the first base station and the local base station generate a key used for communication with the terminal based on the same security key, the processor 132 is further configured to:
- the triggering transceiver 131 After determining that the key refresh is required, the triggering transceiver 131 sends the first key refresh indication information to the first base station, where the first key refresh indication information is used to indicate that the first base station refreshes the key used for communicating with the terminal; And after the transceiver 131 receives the first feedback information returned by the first base station to notify that the current key refresh has been completed, and after the local key refresh has been completed, the communication between the refreshed key and the terminal is used.
- the processor 132 is further configured to: after determining that the key refresh is required, the trigger transceiver 131 sends the second key refresh indication information to the terminal, and receives the return from the terminal at the transceiver 131 for notifying the current time. After the key refreshes the completed second feedback information, the key is used to communicate with the terminal;
- the transceiver 131 is further configured to: after receiving the first key refresh indication information sent by the first base station, send the second key refresh indication information to the terminal, and receive the return of the key to notify the current key refresh After the second feedback information is completed, the first base station terminal is notified that the key refresh has been completed.
- the second key refresh indication information is used to indicate that the terminal refreshes the key used for communicating with the first base station and the base station. .
- the transceiver 131 is further configured to:
- the processor 132 determines that the local key refresh is required, the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is temporarily forwarded to the local base station; or After the key is updated, the first indication information is sent to the first base station, where the first indication information is used to indicate that the data of the terminal is temporarily forwarded to the local base station.
- the first base station and the base station generate a key used to communicate with the terminal based on different security keys
- the transceiver 131 is further configured to receive first indication information sent by the first base station, where the first indication information is Used to indicate that data transmission related to the terminal is suspended;
- the processor 132 is further configured to suspend data transmission related to the terminal, and resume the data transmission related to the terminal after the transceiver 131 receives the indication sent by the first base station to indicate that the data transmission related to the terminal is resumed.
- transceiver 131 is also used to:
- the second key refresh indication information is sent to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, the notification is notified.
- a base station recovers a data transmission related to the terminal, where the second key refresh indication information is used to instruct the terminal to refresh the key communicated with the base station;
- the first base station terminal After receiving the first indication information sent by the first base station, sending the second key refresh indication information to the terminal, and after receiving the second feedback information returned by the terminal for notifying that the key refresh has been completed, The first base station terminal has completed the current key refresh, where the second key refresh indication information is used to instruct the terminal to refresh the key for communicating with the first base station; or
- the second key update indication information is sent to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed, the notification is notified.
- a base station recovers a data transmission related to the terminal, where the second key update indication information is used to instruct the terminal to update a key for communicating with the base station;
- the first base station terminal After receiving the first indication information sent by the first base station, sending the second key update indication information to the terminal, and after receiving the second reply information returned by the terminal for notifying that the current key update has been completed, The first base station terminal has completed the current key update, and the second key update indication information is used to instruct the terminal to update the key communicated with the first base station.
- the first base station and the local base station generate a key used for communication with the terminal based on the same security key
- the transceiver 131 is further configured to: receive the first key update indication information that is sent by the first base station, where the first key update indication information carries the first base station to obtain a new security key from the MME;
- the processor 132 is further configured to: update a key used for communicating with the terminal according to the new security key; and after completing the current key update, trigger the transceiver 131 to return to the first base station for The first reply message that the key update has been completed is notified.
- transceiver 131 is also used to:
- the first base station terminal After receiving the first key update indication information sent by the first base station, sending the second key update indication information to the terminal, and receiving the second reply information returned by the terminal for notifying that the current key update has been completed. Then, the first base station terminal is notified that the current key update has been completed, where the second key update indication information is used to instruct the terminal to update the key used for communication with the first base station and the base station.
- processor 132 is also used to:
- the data transmission related to the terminal is suspended; and after determining that both the terminal and the terminal complete the local key refresh, the refreshed Key recovery and terminal related data transmission;
- another terminal provided by the embodiment of the present invention has a communication connection between the terminal and the first base station and the second base station, and includes:
- the transceiver 141 is configured to receive second request information sent by the first base station or the second base station, where the second request information is used to request the terminal to generate a key used for communicating with the second base station;
- the processor 142 is configured to generate, according to the second request information, a key used for communicating with the second base station.
- processor 142 is specifically configured to:
- the transceiver 141 is further configured to: receive an identifier that is used by the MME to generate security context information used by the second security key;
- the processor 142 is further configured to: generate a second security key according to the saved security context information corresponding to the identifier.
- the processor 142 is further configured to:
- the first base station or the second base station performs random access on the cell designated by the terminal for random access to access the second base station.
- the transceiver 141 is further configured to: receive, by the first base station or the second base station, second key refresh indication information, where the second key refresh indication information is used to indicate that the terminal refreshes with the first base station and/or the a key used by the second base station to communicate;
- the processor 142 is further configured to: generate a new security key according to the information carried in the second key refresh indication information, and generate a secret used for communication with the first base station and/or the second base station based on the new security key. And triggering the transceiver 141 to return, to the first base station or the second base station, second feedback information for notifying that the current key refresh has been completed.
- the transceiver 141 is further configured to: receive, by the first base station or the second base station, second key update indication information, where the second key update indication information is used to indicate that the terminal updates the first base station and the second base station.
- the processor 142 is further configured to: generate a new security key according to the saved security context information, and generate a key used for communication with the first base station and the second base station according to the new security key; and trigger the transceiver 141 to The first base station or the second base station returns second reply information for notifying that the current key update has been completed.
- embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention may be employed in one or more A computer program product embodied on a computer usable storage medium (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer usable program code.
- a computer usable storage medium including but not limited to disk storage, CD-ROM, optical storage, etc.
- the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
- the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
- These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
- the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Selon des modes de réalisation, la présente invention concerne un procédé et un dispositif de traitement de clé en mode de connexion double, garantissant la sécurité des communications d'un UE en mode de connexion double. Le procédé selon les modes de réalisation de la présente invention comprend les étapes suivantes : une première station de base et une seconde station de base établissent chacune une connexion de communication avec un terminal, la seconde station de base recevant des premières informations de demande envoyées par la première station de base, et les premières informations de demande étant utilisées afin de demander à ladite seconde station de base de générer une clé utilisée pour des communications avec le terminal ; la seconde station de base génère, sur la base de la clé de sécurité contenue dans lesdites premières informations de demande, une clé utilisée pour des communications avec le terminal.
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810950275.XA CN109560923B (zh) | 2013-11-01 | 2013-11-01 | 一种双连接模式下的密钥处理方法和设备 |
CN201380003342.2A CN103959829B (zh) | 2013-11-01 | 2013-11-01 | 一种双连接模式下的密钥处理方法和设备 |
EP20204543.1A EP3852413A1 (fr) | 2013-11-01 | 2013-11-01 | Procédé de traitement de clé en mode de connectivité double et dispositif |
PCT/CN2013/086469 WO2015062097A1 (fr) | 2013-11-01 | 2013-11-01 | Procédé et dispositif de traitement de clé en mode de connexion double |
EP13896385.5A EP3057349A4 (fr) | 2013-11-01 | 2013-11-01 | Procédé et dispositif de traitement de clé en mode de connexion double |
US15/143,113 US10735953B2 (en) | 2013-11-01 | 2016-04-29 | Key processing method in dual connectivity mode and device |
US16/796,918 US11418325B2 (en) | 2013-11-01 | 2020-02-20 | Key processing method in dual connectivity mode and device |
US17/849,384 US20220353059A1 (en) | 2013-11-01 | 2022-06-24 | Key processing method in dual connectivity mode and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2013/086469 WO2015062097A1 (fr) | 2013-11-01 | 2013-11-01 | Procédé et dispositif de traitement de clé en mode de connexion double |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/143,113 Continuation US10735953B2 (en) | 2013-11-01 | 2016-04-29 | Key processing method in dual connectivity mode and device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015062097A1 true WO2015062097A1 (fr) | 2015-05-07 |
Family
ID=51334891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2013/086469 WO2015062097A1 (fr) | 2013-11-01 | 2013-11-01 | Procédé et dispositif de traitement de clé en mode de connexion double |
Country Status (4)
Country | Link |
---|---|
US (3) | US10735953B2 (fr) |
EP (2) | EP3852413A1 (fr) |
CN (2) | CN109560923B (fr) |
WO (1) | WO2015062097A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170026347A1 (en) * | 2015-07-24 | 2017-01-26 | Futurewei Technologies, Inc. | Ultra Dense Network Security Architecture and Method |
KR20170042314A (ko) * | 2014-08-04 | 2017-04-18 | 삼성전자주식회사 | 이중 연결성 이동 통신 네트워크에서의 시그널링 |
CN109168161A (zh) * | 2018-08-27 | 2019-01-08 | 创新维度科技(北京)有限公司 | 安全模式激活方法、装置、系统和计算机存储介质 |
Families Citing this family (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2995019B1 (fr) * | 2013-05-09 | 2019-01-30 | Intel IP Corporation | Communications de petites données |
WO2015113207A1 (fr) * | 2014-01-28 | 2015-08-06 | 华为技术有限公司 | Procédé de changement de mot de passe de sécurité, station de base et équipement utilisateur |
EP3122140A4 (fr) * | 2014-03-19 | 2017-11-15 | Sharp Kabushiki Kaisha | Dispositif de terminal, dispositif de station de base, système de communication, procédé de communication et circuit intégré |
CN105900471B (zh) * | 2014-08-08 | 2019-06-21 | 华为技术有限公司 | 密钥流元素更新装置、方法及双连接系统 |
EP3206454B1 (fr) | 2014-10-23 | 2018-12-05 | Huawei Technologies Co. Ltd. | Procédés de connexion de commande de ressource radio (rrc) et appareils |
PL3216300T3 (pl) | 2014-11-04 | 2019-02-28 | Telefonaktiebolaget Lm Ericsson (Publ) | Urządzenie do komunikacji bezprzewodowej, węzeł sieci i realizowane w nich sposoby dla usprawnionych transmisji o dostępie bezpośrednim |
CN107079336B (zh) * | 2014-11-07 | 2021-03-30 | 日本电气株式会社 | 无线通信系统、基站和通信方法 |
CN106134272B (zh) | 2015-01-30 | 2020-01-31 | 华为技术有限公司 | 通信方法、网络设备、用户设备和通信系统 |
EP3348112A1 (fr) | 2015-09-07 | 2018-07-18 | Nokia Solutions and Networks Oy | Procédé et appareil pour la mise en oeuvre d'une commande de ressources radio à connectivité multiple |
CN106559780A (zh) * | 2015-09-25 | 2017-04-05 | 展讯通信(上海)有限公司 | 移动终端及其lte和wlan汇聚时数据传输控制方法 |
US10368238B2 (en) * | 2015-12-01 | 2019-07-30 | Htc Corporation | Device and method of handling data transmission/reception for dual connectivity |
US10638282B2 (en) | 2015-12-31 | 2020-04-28 | Huawei Technologies Co., Ltd. | Charging system and method, and network device |
KR102437619B1 (ko) * | 2016-04-01 | 2022-08-29 | 삼성전자주식회사 | 보안 키를 생성하기 위한 장치 및 방법 |
CN109196897B (zh) * | 2016-04-05 | 2022-04-26 | 诺基亚通信公司 | 用于5g mc的优化的安全密钥刷新过程 |
US10681541B2 (en) | 2016-04-29 | 2020-06-09 | Nokia Technologies Oy | Security key usage across handover that keeps the same wireless termination |
CN109565706B (zh) * | 2016-09-29 | 2021-06-22 | 华为技术有限公司 | 一种数据加密的方法及装置 |
CN108282836B (zh) * | 2017-01-06 | 2020-10-30 | 展讯通信(上海)有限公司 | 辅基站切换方法、装置及基站 |
CN108633018B (zh) * | 2017-03-23 | 2024-02-02 | 华为技术有限公司 | 配置方法、装置及系统 |
KR102445163B1 (ko) * | 2017-05-15 | 2022-09-20 | 삼성전자주식회사 | 무선 통신 시스템의 보안 키를 관리하는 장치 및 방법 |
WO2018227480A1 (fr) * | 2017-06-15 | 2018-12-20 | Qualcomm Incorporated | Rafraîchissement de clés de sécurité dans des systèmes sans fil 5g |
CN109309919B (zh) * | 2017-07-27 | 2021-07-20 | 华为技术有限公司 | 一种通信方法及设备 |
CN109309918B (zh) * | 2017-07-27 | 2021-06-08 | 华为技术有限公司 | 通信方法、基站和终端设备 |
CN109560919B (zh) * | 2017-09-27 | 2021-02-09 | 华为技术有限公司 | 一种密钥衍生算法的协商方法及装置 |
CN113660660A (zh) * | 2018-01-08 | 2021-11-16 | 华为技术有限公司 | 一种更新密钥的方法及装置 |
CN110167018B (zh) * | 2018-02-11 | 2021-12-10 | 华为技术有限公司 | 一种安全保护的方法、装置及接入网设备 |
AU2018409908B2 (en) * | 2018-02-23 | 2021-10-28 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for determining security algorithm, and computer storage medium |
US10972909B2 (en) * | 2018-03-02 | 2021-04-06 | Intel Corporation | Synched group key rekeying |
US11071025B2 (en) | 2018-06-29 | 2021-07-20 | FG Innovation Company Limited | Cell handover with minimum mobility interruption |
CN110896539B (zh) * | 2018-09-12 | 2021-03-19 | 维沃移动通信有限公司 | 处理方法和设备 |
CN112655245A (zh) * | 2018-09-19 | 2021-04-13 | Oppo广东移动通信有限公司 | 一种数据传输方法、设备及存储介质 |
CN111194032B (zh) * | 2018-11-14 | 2021-08-13 | 华为技术有限公司 | 一种通信方法及其装置 |
CN112703770B (zh) * | 2019-01-11 | 2023-11-10 | Oppo广东移动通信有限公司 | 一种rrc连接重建方法及装置、网络设备 |
CN111641582B (zh) * | 2019-03-01 | 2021-11-09 | 华为技术有限公司 | 一种安全保护方法及装置 |
CN112449346B (zh) * | 2019-09-04 | 2022-09-23 | 华为技术有限公司 | 通信方法、装置及计算机可读存储介质 |
CN113068183A (zh) * | 2019-12-26 | 2021-07-02 | 大唐移动通信设备有限公司 | 一种安全密钥的更新方法及装置 |
US11558183B2 (en) * | 2020-05-15 | 2023-01-17 | Bank Of America Corporation | System for exchanging symmetric cryptographic keys using computer network port knocking |
US20210218548A1 (en) * | 2021-03-26 | 2021-07-15 | Intel Corporation | Technologies for real-time updating of encryption keys |
US20240015504A1 (en) * | 2022-07-07 | 2024-01-11 | Qualcomm Incorporated | Deriving physical layer keys for sidelink secure sidelink communication |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1627716A (zh) * | 2003-12-10 | 2005-06-15 | 联想(北京)有限公司 | 有线设备与无线设备智能组网方法及拓展应用方法 |
WO2013116976A1 (fr) * | 2012-02-06 | 2013-08-15 | Nokia Corporation | Procédé et appareil d'accès rapide |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4596256B2 (ja) * | 2005-08-02 | 2010-12-08 | ソニー株式会社 | 送受信システムおよび方法、送信装置および方法、受信装置および方法、並びにプログラム |
US8948395B2 (en) * | 2006-08-24 | 2015-02-03 | Qualcomm Incorporated | Systems and methods for key management for wireless communications systems |
US8200241B2 (en) * | 2007-09-24 | 2012-06-12 | Zte Corporation | Terminal random access method for cellular radio communications system and method for generating group identifier |
JP4394730B1 (ja) * | 2008-06-27 | 2010-01-06 | 株式会社エヌ・ティ・ティ・ドコモ | 移動通信方法及び移動局 |
US20120159151A1 (en) * | 2010-12-21 | 2012-06-21 | Tektronix, Inc. | Evolved Packet System Non Access Stratum Deciphering Using Real-Time LTE Monitoring |
WO2012167184A2 (fr) * | 2011-06-02 | 2012-12-06 | Interdigital Patent Holdings, Inc. | Procédés, appareil et systèmes pour gérer des communications de passerelle convergée |
KR101428875B1 (ko) * | 2011-11-30 | 2014-08-12 | 주식회사 알티캐스트 | Hls 기반 보안 처리 시스템 및 그 방법 |
CN103188663B (zh) * | 2011-12-27 | 2016-08-03 | 华为技术有限公司 | 基站间载波聚合的安全通讯方法及设备 |
WO2013117009A1 (fr) * | 2012-02-10 | 2013-08-15 | Nokia Corporation | Procédé et appareil pour une meilleure commande des connexions |
CN102740289B (zh) * | 2012-06-15 | 2015-12-02 | 电信科学技术研究院 | 一种密钥更新方法、装置及系统 |
KR101589911B1 (ko) * | 2012-08-03 | 2016-02-18 | 주식회사 케이티 | 랜덤 액세스 전력 제어 방법 및 장치 |
KR101964083B1 (ko) * | 2012-10-31 | 2019-04-01 | 삼성전자 주식회사 | 무선 통신 시스템에서 기지국간 반송파 집적을 통한 데이터 전송 방법 및 장치 |
CN103052038B (zh) * | 2013-01-04 | 2015-08-12 | 中兴通讯股份有限公司 | 一种建立组呼上下文的方法和系统、基站、集群epc |
EP2995019B1 (fr) * | 2013-05-09 | 2019-01-30 | Intel IP Corporation | Communications de petites données |
ES2890499T3 (es) * | 2013-09-11 | 2022-01-20 | Samsung Electronics Co Ltd | Procedimiento y sistema para posibilitar una comunicación segura para una transmisión inter-eNB |
-
2013
- 2013-11-01 EP EP20204543.1A patent/EP3852413A1/fr active Pending
- 2013-11-01 CN CN201810950275.XA patent/CN109560923B/zh active Active
- 2013-11-01 WO PCT/CN2013/086469 patent/WO2015062097A1/fr active Application Filing
- 2013-11-01 CN CN201380003342.2A patent/CN103959829B/zh active Active
- 2013-11-01 EP EP13896385.5A patent/EP3057349A4/fr not_active Withdrawn
-
2016
- 2016-04-29 US US15/143,113 patent/US10735953B2/en active Active
-
2020
- 2020-02-20 US US16/796,918 patent/US11418325B2/en active Active
-
2022
- 2022-06-24 US US17/849,384 patent/US20220353059A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1627716A (zh) * | 2003-12-10 | 2005-06-15 | 联想(北京)有限公司 | 有线设备与无线设备智能组网方法及拓展应用方法 |
WO2013116976A1 (fr) * | 2012-02-06 | 2013-08-15 | Nokia Corporation | Procédé et appareil d'accès rapide |
Non-Patent Citations (1)
Title |
---|
See also references of EP3057349A4 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20170042314A (ko) * | 2014-08-04 | 2017-04-18 | 삼성전자주식회사 | 이중 연결성 이동 통신 네트워크에서의 시그널링 |
KR102288057B1 (ko) | 2014-08-04 | 2021-08-11 | 삼성전자 주식회사 | 이중 연결성 이동 통신 네트워크에서의 시그널링 |
US11743244B2 (en) | 2014-08-04 | 2023-08-29 | Samsung Electronics Co., Ltd. | Signaling in dual connectivity mobile communication networks |
US20170026347A1 (en) * | 2015-07-24 | 2017-01-26 | Futurewei Technologies, Inc. | Ultra Dense Network Security Architecture and Method |
US10412056B2 (en) * | 2015-07-24 | 2019-09-10 | Futurewei Technologies, Inc. | Ultra dense network security architecture method |
CN109168161A (zh) * | 2018-08-27 | 2019-01-08 | 创新维度科技(北京)有限公司 | 安全模式激活方法、装置、系统和计算机存储介质 |
Also Published As
Publication number | Publication date |
---|---|
US20200267545A1 (en) | 2020-08-20 |
US20220353059A1 (en) | 2022-11-03 |
EP3057349A1 (fr) | 2016-08-17 |
US20160249210A1 (en) | 2016-08-25 |
CN103959829B (zh) | 2018-09-21 |
US10735953B2 (en) | 2020-08-04 |
CN109560923B (zh) | 2021-12-14 |
EP3852413A1 (fr) | 2021-07-21 |
CN109560923A (zh) | 2019-04-02 |
EP3057349A4 (fr) | 2016-08-17 |
US11418325B2 (en) | 2022-08-16 |
CN103959829A (zh) | 2014-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015062097A1 (fr) | Procédé et dispositif de traitement de clé en mode de connexion double | |
US11425618B2 (en) | Communication security processing method and apparatus, and system | |
EP2663107B1 (fr) | Procédé et appareil de génération de clé | |
CN105103517B (zh) | 一种安全密钥更改方法和基站及用户设备 | |
US20170359719A1 (en) | Key generation method, device, and system | |
CN109804705A (zh) | 用于恢复无线设备的无线电连接的方法、设备和节点 | |
WO2013097672A1 (fr) | Procédé et dispositif de communication de sécurité d'agrégation de porteuses inter-stations de base | |
WO2013116976A1 (fr) | Procédé et appareil d'accès rapide | |
WO2014023269A1 (fr) | Procédé et appareil de commande de commutation | |
WO2014110908A1 (fr) | Procédé de transmission de données sécurisée et système de réseau d'accès lte | |
WO2012171281A1 (fr) | Procédé de modification de paramètre de sécurité, et station de base | |
WO2013029461A1 (fr) | Procédé de transmission de données sécurisée et dispositif associé | |
WO2020056433A2 (fr) | Communication sécurisée de demande de commande de ressource radio (rrc) sur porteuse radio de signal zéro (srb0) | |
WO2015027524A1 (fr) | Méthode de communication, dispositif côté réseau, et équipement utilisateur | |
WO2014094663A1 (fr) | Procédé et dispositif d'optimisation de cellules | |
JP2017098986A (ja) | Mtcのためのシステム、コアネットワーク、及び方法 | |
KR102104844B1 (ko) | 데이터 전송 방법, 제1 장치 및 제2 장치 | |
WO2020191782A1 (fr) | Procédé et dispositif de transmission de données | |
CN109803257B (zh) | 一种安全信息更新方法及接入网设备 | |
CN109842484B (zh) | 一种下一跳链计数器更新方法、装置及设备 | |
WO2014040259A1 (fr) | Procédé pour le rétablissement d'une connexion de gestion des ressources radioélectriques, dispositif et système de réseau | |
WO2021238813A1 (fr) | Procédé et appareil d'obtention de clé | |
CN112154682B (zh) | 密钥更新方法、设备和存储介质 | |
CN115175181A (zh) | 一种通信的方法及装置 | |
CN101902736B (zh) | 空中接口密钥的更新方法、核心网节点及无线接入系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13896385 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2013896385 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2013896385 Country of ref document: EP |